Cybercriminals Launch Malicious Malvertising 
Campaign, Thousands of Users Affected (2016-04-24 
21:17) We've recently intercepted, a currently ongoing 
malicious malvertising attack, affecting thousands of users 
globally, potentially exposing their PCs, to, a multitude of 
malicious software, compromising, the, integrity, 
confidentiality, and, availability, of, their, PCs. 

The campaign relies on the Angler Web malware exploitation 
kit, for, the, purpose of serving malicious software, on the, 
PCs, of, affected users exposing, their, PCs, to, a multitude, 
of, malicious software, potentially leading, to, a compromise, 
of, their, PCs. Once, users, visit, a legitimate Web site, part, of 
the, campaign, their, PCs, automatically become, part, of the 
botnet, operated, by, the, cybercriminals, behind it, with, the, 
campaign, relying, on, the, use, of, the, exploitation, of, a 
well known, client-side, vulnerability. 

Cybercriminals, often, rely, on, the, use, of, compromised, 
accounting, data, obtained, through, active data mining, of, a 
botnet's infected population, for, the purpose, of, 
embedding, malicious, client-side exploits, on well known, 
and highly popular, Web sites, next, to, the, active, client- 
side, exploitation, of, known, vulnerabilities, found, on public, 
and well, known, Web sites. Yet, another highly popular 
attack vector, remains, the use, of compromised, advertiser 
network publisher's account, for, the, purpose, of taking 
advantage, of, the publisher's, already established, clean, 
network, reputation. 

In this post, we'll profile, the, malicious campaign, provide, 
actionable, intelligence, for, the, infrastructure, behind it, 
provide, malicious MD5s, as, well, as, discuss, in depth, the, 
tactics, techniques, and procedures, utilized, by, the, 
cybercriminals, behind it. 



Sample detection rate for the 
Trojan.Win32.Waldek.gip malware: 

MD5: f2b92d07bb35fl649b015a5acl0d6f05 

Once executed the sample phones back to: 

hxxp://datanet.cc/extra/status.html - 146.185.251.154 

Malicious URLs, used, in the, campaign: 

hxxp://gamergrad.top/track/k.track?wd=48 &fid = 2 - 
104.24.112.169 

hxxp://talk915.pw/track/k.track?wd=48 &fid=2 - 
104.27.190.84 

Known to have responded to the same IP 
(146.185.251.154) are also the following malicious 
domains: hxxp://crenwat.cc 

hxxp://oldbog.cc 

hxxp://datanet.cc 

hxxp://glomwork.cc 

hxxp://speedport.cc 

hxxp://my hostel ub.cc 

hxxp://termi nreg.ee 

hxxp://eu rrentnow.ee 

hxxp://eopyinv.ee 

hxxp://lableok.ee 



hxxp://agentad.cc 

hxxp://appclone.cc 

hxxp://tune4.cc 

hxxp://objects.cc 

Once executed, the, sample, phones, back, to the, 
following, C &C server: 5 

hxxp://188.138.70.19 

Known to have responded to the same IP 
(188.138.70.19) are also the following malicious 
domains: hxxp://alfatrade.cxaff.com 

hxxp://affil iates.alfatrade.com 

Known to have phoned back to the same malicious C 
&C server, are, also, the following malicious MD5s: 

MD5: aaa6559738f74bd7a2fflb025a287043 

MD5: b919a06e79318c0d50b8961b0e32eb0a 

MD5: a384337cad9335b34d877dd4c59c73ce 

MD5: e7b7b7664e89bel8bcf2b79ccll6731f 

MD5: d712ddbc9b4fb27d950be93clel44cce 

Related malicious MD5s known to have phoned back 
to the same C &C server: MD5: 
aaa6559738f74bd7a2fflb025a287043 

MD5: b919a06e79318c0d50b8961b0e32eb0a 


MD5: a2bd512e438801a2aal871a2ac28e5bd 



MD5: f01f9ded34cfe21098a2275563cf0d9d 


MD5: e7b7b7664e89bel8bcf2b79ccll6731f 

This post has been reproduced from [l]Dancho 
Danchev's blog. 

1 . httD://ddanchev.blo as DOt.com/ 
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Analyzing the Bill Gates Botnet - An Analysis (2016- 
04-24 22:47) We've, recently, intercepted, a high-profile, 
Linux-based, botnet-driven, type of, malicious, software, 
that's capable, of launching, a multitude of malicious 
attacks, on, compromised servers, potentially, exposing, the, 
integrity, confidentiality, and, availability, of, the 
compromised servers. Malicious attackers, often rely, on the 
use of compromised servers, for, the purpose, of, utilizing the 
access for malicious purposes, including, the capability, to 
launch malicious DDoS (Denial of Service Attack) attacks, 
and the ability, to spread additional malicious software, to 
potential users, including the capability to monetize access 
to the service, by, launching, DDoS for hire type of malicious 
and fraudulent services, including, the capability to launch 
high performance DDoS attacks. 

In this post, we'll, profile, and analyze, the Bill Gates botnet, 
provide, actionable intelligence, on, the infrastructure, 
behind it, and, discuss, in depth, the tactics, techniques, and 
procedures, of the cybercriminals, behind it. 

Malicious MD5s known to be part of the Biii Gates 
botnet: 


MD5: 5dl0bcbl5bedb4b94092c4c2e4d245b6 




MD5: 0d79802eeae43459ef0f6f809ef74ecc 


MD5: 9a77fladl25cf34858be5e438b3f0247 
MD5: 9a77fladl25cf34858be5e438b3f0247 
MD5: a89c089b8d020034392536d66851b939 
MD5: a5b9270a317c9ef0beda992183717b33 

Known Bill Gates botnet C &C server: 

hxxp://dgnfd564sdf.com - 122.224.34.42; 122.224.50.37 

Malicious C &C servers known to be part of the Bill 
Gates botnet: 202.103.178.76 

121.12.110.96 

112.90.252.76 

112.90.22.197 

112.90.252.79 

Known to have responded to the same malicious IP 
(122.224.50.37) are also the following malicious 
domains: hxxp://lfs99.com 

hxxp://chchong.com 

hxxp://uc43.net 

hxxp://59wgw.com 

hxxp://frade8c.com 

hxxp://96hb.com 



hxxp://cq670.com 

hxxp://776ka.com 

Malicious MD5s known to have phoned back to the 
same C &C server iP (122.224.50.37): MD5: 
6739ca4a835c7976089e2f00150f252b 

MD5: eb234cee4ff769f2b38129bcl64809d2 

MD5: dc893dl6316489dffa4e8d86040189b2 

MD5: 0clcac2a019aalcc2dcc0d3bl7fc4477 

MD5: b7765076af036583fc81a50bd0b2a663 

Known to have responded to the same maiicious iP 
(122.224.34.42) are aiso the foiiowing maiicious 
domains: hxxp://76.wawall.com 
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hxxp://903. wawall.com 
hxxp://904. wawall.com 
hxxp://905. wawall.com 
hxxp://906. wawall.com 
hxxp://907. wawall.com 
hxxp://9 lww.0574yu.com 
hxxp://9911sf.com 
hxxp://901.t772277.com 
hxxp://a isf.juxll4.com 



hxxp://5 20. wawall.com 
hxxp://a wooolsf.com 
hxxp://2 288game.com 
hxxp://588bc.com 
hxxp://488game.com 
hxxp://588bc.com 

Malicious MD5s known to have been downioaded 
from the same maiicious C &C server iP 
(122.224.34.42): MD5: 
5cll0bcbl5beclb4b94092c4c2e4cl245b6 

MD5: 9a77flacll25cf34858be5e438b3f0247 

Maiicious MD5s known to have been phoned back to 
the same maiicious C &C server iP(122.224.34.42): 

MD5: 815e453b6e268aclclf6a6763bfe013928 

Once executed the sampie phones back to the 
foiiowing maiicious C &C server iPs: 

hxxp://awooolsf.com/222.txt - 122.224.34.42 

hxxpV/xxx.com/download/xx.exe - 67.23.112.226 

Known to have responded to the same maiicious iP 
(67.23.112.226) are aiso the foiiowing maiicious 
domains: hxxp://falconglobalimpex.com 

hxxp://deschatz-army.net 

hxxp://m.xxx.com 

hxxp://xxx.com 



hxxp://xxxsites.com 
hxxp://t.xxx.com 
hxxp://m.xxx.org 
hxxp://m.xxxsites.com 
hxxp://xxx.org 

Known to have been downloaded from the same 
malicious IP (67.23.112.226) are also the following 
malicious MD5s: 

MD5: b4b483eb0d25fa3a9ec589ebll467ab8 

Known to have phoned back to the same malicious C 
&C server (67.23.112.226) are also the following 
malicious MD5s: 

MD5: 53a7fc24cbl9463f8df3f4fe3ffd79b9 
MD5: 268b8bcacecl73eace3079db709b9c69 
MD5: 0faf6988dfeaa98241cl9fd834ecal94 
MD5: 87f8ffebl7a72fda7cf28745fa7a6be8 
MD5: C973f818a5f9326c412ac9c4dfaeb0bd 
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This post has been reproduced from [IJDancho 
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Malware Campaign Using Googie Docs intercepted, 
Thousands of Users Affected (2016-04-26 20:13) We've 
recently intercepted, a malicious campaign, utilizing, Google 
Docs, for, the purpose, of spreading, malicious software, 
potentially, exposing, the confidentiality, integrity, and 
availability, of the, targeted hosts. 

In this, post, we'll profile, the malicious campaign, expose, 
the malicious, infrastructure, behind, it, provide, MD5s, and, 
discuss, in depth, the, tactics, techniques, and procedures, 
of, the, cybercriminals, behind it. 

Sample malicious URL: 

hxxp://younglean.cba.pl/lean/ - 95.211.80.4 
Sampie maiicious URL hosting iocations: 

hxxp://ecku.cba.pl/js/bin.exe 

hxxp://mondeodoslubu.cba.pl/js/bin.exe 

hxxp://piotrkochanski.cba.pl/js/bin.exe 

hxxp://szczuczynsp.cba.pl/122/091.exe 

Known to have responded to the same maiicious 
(95.211.80.4) are aiso the foiiowing maiicious 
domains: hxxp://barbedosgroup.cba.pl 

hxxp://brutalforce.pl 

hxxp://ch ristophar-hacker.pl 

hxxp://moto-przestrzen.pl 

hxxp://etu rva.yO.pl 



hxxp://lingirlie.com 
hxxp://ogladaj mecz.com. pi 
hxxp://oriflamekon kurs2ll6.c0.pl 
hxxp://u meblowani.cba.pl 
hxxp://webacl minvaliclation.cba.pl 
hxxpV/adamr.pl 
hxxp://alea.cba.pl 
hxxp://a rtbymachonis.cba.pl 
hxxp://beqwqgdu.cba.pl 
hxxp://bleachon I ine.pl 
hxxp://facebook-profile-natalia9320.j.pl 
hxxp://fl Irevl978.cba.pl 
hxxp://gotowesms.pl 
hxxp://kbvdfuh.cba.pl 
hxxp://mapl kal977.c0.pl 
hxxp://nag robkiartek.pl 
hxxp://nyzusboj pxnl.cba.pl 
hxxp://oki I hl973.cba.pl 
hxxp://pucusej.cba.pl 
hxxp://sajtom.pl 



hxxp://tarnowiec.net.pl 
hxxp://techtell.pl 
hxxp://testujemy pi.cba.pl 
hxxp://lawendowawyspa.cba.pl 
hxxp://younglean.cba.pl 
hxxp://clelegatu raszczecin.cba.pl 
hxxp://metzmoerex.cba.pl 
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hxxp://kmpk.c0.pl 
hxxp://500plus.c0.pl 
hxxp://erxhxrrb 1981.cba.pl 
hxxp://exztwsl.cba.pl 
hxxp://fafrvfa.cba.pl 
hxxp://fastanclfu rios.cba.pl 
hxxp://fi I monline.cba.pl 
hxxp://fragcraft.pl 
hxxp://fryzjer.cba.pl 
hxxp://hgecl koml973.cba.pl 
hxxp://l uyfivl972.cba.pl 
hxxp://ol iviasekulska.com 



hxxp://opziwr-zamosc.pl 
hxxp://ostro.ga 
hxxp://rodzi na500plus.c0.pl 
hxxp://roknasilowni.tk 
hxxp://vfqqgrl971.cba.pl 

Sample malicious MD5s known to have phoned back 
to the same malicious IP (95.211.80.4): MD5: 
495f05cl7ebcal022cla2cclcll700aeac39 

MD5: 68abcl8a3a8cl8c59f638e50ab0c386a4 

MD5: 65b4bclba2cl3b3e92b8b96cl7cl9ba7f88e 

MD5: 64b5c6b20e2cl758a008812clf99a5958e 

MD5: a0869b751e4a0bf27685f2f8677f9c62 

Once executed the sample phones back to the 
following C &C servers: hxxp://smartoptionsinc.com - 
216.70.228.110 

hxxp://ppc.cba.pl - 95.211.80.4 

hxxp://apps.iclentrust.com - 192.35.177.64 

hxxp://cargol.cat - 217.149.7.213 

hxxp://bikeceuta.com - 91.142.215.77 

This post has been reproduced from [IJDancho 
Danchev's blog. 

1. http://clclanchev.blQ as pot.com/ 
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Malicious Ciient-Side Expioits Serving Campaign 
intercepted. Thousands of Users Affected 

(2016-04-26 20:39) 

We've recently intercepted, a currently, circulating, malicious 
campaign, utilizing, a variety, of compromised, Web sites, for, 
the purpose, of serving, malicious software, to socially 
engineered, users. 

In this post, we'll profile, the campaign, the infrastructure, 
behind, it, provide, actionable, intelligence, MD5s, and, 
discuss, in depth, the tactics, techniques, and procedures, of, 
the cybercrimnals, behind it. 

Sample malicious URL: 

hxxp://directbalancejs.com/module.so - 37.48.116.208; 
31.31.204.161 

hxxp://2-eco.ru 

hxxp://2401.ru 

hxxp://24xxx.site 

hxxp://3502050.ru 

hxxp://6553009.xyz 

hxxp://7032949.ru 

hxxp://academi ng.ru 

hxxp://academyfi nance.ru 



hxxp://acti velifelab.com 
h XX p://a d VO ka t-m i k h ee V. ru 
hxxp://advokatstav.ru 
hxxp://a kvahim98.ru 
hxxp://ai-minbar.ru 
hxxp://a iiesmarket.com 
hxxp://aiitrump.ru 
hxxp://aitropasso.ru 
hxxp://ambertao.info 
hxxp://a mbertao.org 
hxxp://ancra.ru 
hxxp://andr-6-update.ru 
hxxp://a ndroid-new.ru 
hxxp://a ndroidid-6-new.ru 
hxxp://a ngrymuitik.ru 
hxxp://a nimaciyafoto.ru 
hxxp://a nimaciyaoniine.ru 
hxxp://a nimaciyastiker.ru 
hxxp://a nimationiine.ru 
hxxp://a nimehvost.ru 



hxxp://a nyen.ru 
hxxp://any wifi.on line 
hxxp://apple-pro.moscow 
hxxp://a ppliancerepairmonster.com 
hxxp://aptechka.farm 
hxxp://a rbosfera.ru 
hxxp://archsalut.ru 
hxxp://arstcl.ru 
hxxp://asl anumarov.ru 
hxxp://atlantecl.ru 
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hxxp://aurispc.ru 
hxxp://avangarcl master.ru 
hxxp://aviacorp24.ru 
hxxp://a wpashko.com 

Known to have phoned back to the same malicious C 
&C server (31.31.204.161) are also the following 
malicious MDSs: 

MD5: c3754018clab05b3b8aac5fe8100076ce 

Once executed the sample phones back to the 
following C &C server: hxxp://info-get.ru - 31.31.204.161 



Known to have phoned back to the same malicious C 
&C server (31.31.204.161) are also the following 
malicious MD5s: 

MD5: 4ff9bd7a045b0fe42a8f633428a59732 

MD5: 46bleaae5b53668a7ac958aecf4e57c3 

MD5: d643025c5d0a2a2940502f4bl5cal801 

MD5: 75dce2d84540153107024576bfce08fc 

MD5: a23235ed940a75f997cl27f59b09011d 

This post has been reproduced from [l]Dancho 
Danchev's blog. 

1 . http://ddanchev.blQ as pot.CQm/ 
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Malicious Campaign Affects Hundreds of Web Sites, 
Thousands of Users Affected (2016-05-16 10:33) We've 
recently intercepted, a currently, circulating, malicious, 
campaign, affecting, hundreds, of Web sites, and exposing, 
users, to, a, multi-tude, of, malicious, software. 

In this post, we'll profile, the campaign, provide malicious 
MD5s, expose, the, infrastructure, behind, it, and, discuss, in- 
depth, the, tactics, techniques, and, procedures, of, the, 
cybercriminals, behind it. 




Malicious URLs used in the campaign: 

hxxp://default7.com - 199.48.227.25 

hxxp://test246.com - 54.208.99.166 

hxxp://test0.com - 72.52.4.119 

hxxp://distinctfestive.com - 54.208.99.166 

hxxp://ableoccassion.com - 54.208.99.166 

Sampie maiware used in the campaign: 

MD5: 9854fl4ca653ee7c6bf6506d823f7371 

Once executed, a, sampie, maiware, phones, back, 
to, the, foiiowing, C &C server: 

hxxp://intva31.homelandcustom.info (52.6.18.250) 

Known to have phoned back to the same maiicious C 
&C server iP (54.208.99.166), are, aiso, the, 
foiiowing, maiicious, MD5s: 

MD5: fd368af200fd835687997ca2a4a0389b 

MD5: C0379cdal717dle05c938f8e06c04a46 

MD5: 60eef5bll6579d75b272a61e40716bc0 

MD5: 8481f23748358fbfd5c36cea53c90793 

MD5: 0953f8ec3f0001b3e5f3490203135def 

Once executed, a, sampie, maiware, phones, back, 
to, the, foiiowing, C &C servers: hxxp://ii55.net 
(69.172.201.153) 

hxxp://rwai.net (54.208.99.166) 



Known to have phoned back to the same malicious C 
&C server IP (69.172.201.153) are also the following 
malicious MD5s: 

MD5: 5979f69be8b6716c0832b6831c398914 

MD5: a27083ffl9bl87cbc64644bcl0d2afll 

MD5: b9306bb08ac502c7bcaf3d7e0cd9d846 

MD5: Cd34980dda700d07b93eef7910a2a8be 

MD5: b708860e7962bl0e26568c9b037765df 

Known to have phoned back to the same malicious C 
&C server IP (54.208.99.166) are also the following 
malicious MD5s: 

MD5: 9854fl4ca653ee7c6bf6506d823f7371 

MD5: 90a88230d5b657ced3b2d71162a33cff 

MD5: 70465233d93aa88868d7091454592a80 

MD5: f8e21525c6848f45e4ab77aee05f0a28 

Related malicious MD5s known to have phoned back 
to the same malicious C &C server (54.208.99.166): 

MD5: fd368af200fd835687997ca2a4a0389b 
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MD5: C0379cdal717dle05c938f8e06c04a46 
MD5: 60eef5bll6579d75b272a61e40716bc0 
MD5: 8481f23748358fbfd5c36cea53c90793 


MD5: 0953f8ec3f0001b3e5f3490203135def 



We'll continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, developments, take, place. 
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Cybercriminals Offer Fake/Fraudulent Press 
Documents Accreditation On Demand (2016-08-16 
20:07) In a cybercrime ecosystem, dominated by fraudulent 
market propositions, and new market entrants occupying 
new market segments on a daily basis, cybercriminals are 
perfectly positioned, to continue offering, commoditized 














underground market goods, such as, for instance, fake 
documents, for the purpose of generating fraudulent 
revenue, while empowering fellow cybercriminas, with the 
necessary tools to further commit fraudulent activities. 

In this post, we'll, discuss a newly launched service, offering 
fake press accreditation documents, and discuss the overall 
relevance of the service, in the context of the underground 
marketplace's ongoing commoditization, basic market 
segmentation concepts, as well as newly applied concepts 
such as DIY (do-it-yourself) type of services, and basic OPSEC 
with QA (Quality Assurance) in mind. 
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The service is currently offering custom-made press 
accreditation documents for the Russian Federation, allowing 
potential cybercriminals the ability to access press-free 
zones, potentially commiting related fraudulent activities. 

The price varies between $62 and $130 depending on the 
number of fake documents requested, including the option to 
request anonymous delivery of the fake documents. 
























Thanks to a vibrant DIY (do-it-yourself) custom-based type of 
fake documents generating market segment, cybercriminals, 
have also successfully managed to efficiently streamline the 
process of generating these documents, applying, both, basic 
OPSEC (Operational Security) measures in place, to ensure 
that they're perfectly positioned to reach to their targeted 
audience, while preserving a decent degree of their 
operational procedures, as well as Q &A (Quality Assurance) 
processes, to further ensure the quality of their underground 
market proposition. 

We expect to continue observing a decent supply of 
segmented market propositions, targeting, both, novice and 
experienced cybercriminals, seeking to obtain fake 
documents, on their way to commit related fraudulent 
activities. 

Related posts: 
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[1] A Peek Inside the Russian Underground Market for 
Fake Documents/IDs/Passports 

[2] Newly Launched 'Scanned Fake 
Passports/IDs/Credit Cards/Utility Bills' Service 
Randomizes and Generates Unique Fakes On The Fly 

[3] Vendor of Scanned Fake IDs, Credit Cards and 
Utility Bills Targets the French Market Segment 

[4] Cybercriminals Offer High Quality Plastic U.S 
Driving Licenses/University ID Cards 
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HaCTpOMKM 

Bepctta PHP: 

PHP5 512 

riariKa cache AOcryiiHa na aamcb (npaaa 66€ htm 777) 
nanna images aocrynHa aa 3anMCb (opasa 666 htw 777) 
rianKa images AOcrynHa aw wreMHn (npaea 555 m Bbiuie) 
PacujvipeHMe PHP GO ycxaHoeneHO 
Bepotfi PHP 6onbuie ww pasHa 5 5 (pe*OMenflyeTCfl) 


/]a HeoCxoAHMO onn pateTw API 

i]a Heo6xQaHMo Ana ktaccoeoA paKaoMioauiw 

/)a Heo6xoA>«M Ana paHAOMtuauaM'>yHHiianiuaL|Wi iuo6paxeHw) 

fla T pe6yeTca Ana paeoTw cxpama 

/)a T pe6yeTca Ana onmianbaori pa6oTbi ecex (t)YHKAMA 


Spam-friendly Image Randomization Tool Released on 
the Underground Marketplace (2016-08-17 13:34) 

Cybercriminals, continue applying basic QA (Quality 
Assurance) processes, to their fraudulent campaigns, on their 
way to achieve a posive ROI (Return on Investment) out of 
their fraudulent activities. 

In this post, we'll discuss a newly launched commercial tool, 
that's capable of generating unique images, for the purpose 
of tricking spam filters, in an attempt to trick end users into 
falling victim into the fraudulent campaign. 
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Priced at $25, the API-enabled tool is capable of converting a 
regular image, executed in a spam campaign, into a new one 
successfully bypassing spam filters, exposing end users to 




























fraudulent attempts, generating fraudulent revenue, for the 
cybercriminals behind the campaign. 

We expect to continue observing an increase in QA (Quality 
Assurance) driven underground market propositions, leading 
to a successful set of fraudulent propositions, dominating the 
underground marketplace. 
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Managed Social Engineering Based Code Signing 
Generating Certificate Service Spotted in the Wild 
( 2016 - 08-17 14 : 23 ) 

Cybercriminals are masters of social engineering, potentially 
tricking, tens of thousands of users on a daily basis, into 
falling victims into fraudulent cybercrime-friendly 
campaigns, generating them, hundreds of thousands of 
fraudulent revenues, successfully, contributing to the growth 
of multiple underground market segments, within, the 
underground marketplace. 

In this post, we'll discuss a newly launched service, 
empowering, both, novice, and experienced cybercriminals, 
with the necessary tools and know how, to further commit. 




























fraudulent activities, in the form of socially engineered code 
signing certificates, obtained through the registration of 
bogus and non-existent companies. 

Priced at $1,000 per certificate, the service is also offering 
discounts on a volume basis, including custom contacts 
based customization files, including detailed info about the 
rogue company, used in the code signing process. Relying on 
basic 'visual social engineering' concepts, cybercriminals are 
perfectly positioned, to execute a successful campaign on a 
mass scale, or in a targeted nature, successfully targeting 
tens of thousands of users. 

We expect to continue observing relevant code signing as a 
service, type of cybercrime-friendly propositions, within the 
cybercrime ecosystem, with more market vendors, entering 
the market segment, further positioning themselves, as 
market leaders, through basic market segmentation, and 
efficient social engineering techniques. 
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Newly Launched Cybercrime Service Offers Access to 
POS Terminals on Demand (2016-08-17 14:32) 

Cybercriminals continue applying basic market segmentation 
concepts, to their underground market propositions, to 
further ensure, that, they're capable of targeting the right 
audience, potentially generating hundreds of thousands of 
fraudulently generating revenues in the process. 

From basic, malware as a service underground market 
propositions, offering access to country, city, ISP based type 
of malware-infected hosts, to cybercrime-friendly services, 
offering access to malware-infected hosts converted to 
anonymization proxies, to further target additional market 
segments, within the cybercrime ecosystem, cybercriminals 
continue to utilize basic market segmentation concepts, 
based on the targeted population. 

In this post, we'll discuss a newly launched managed service, 
offering access to POS (Point of Sale) terminals, further 
empowering, both, novice, and sophisticated cybercriminals. 








































































with the necessary access to commit related fraudulent 
activities. 
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The service is currently offering access to POS (Point of Sale) 
terminals, located, in the United States, Canada, Australia, 
United Kingdom, the Netherlands and Germany, priced 





























































between $30 and $50 for access to a POS (Point of Sale) 
terminal. 


Cybercriminals, continue relying on basic data mining 
concepts, while utilizing the overall target population, 
further, ensuring that their market-relevant propositions, 
while, continuing to generate fraudulent revenues, in, the, 
process. 

We expect to continue observing an increase in underground 
market propositions, utilizing basic market segmentation 
concepts, further positioning, both, novice, and experienced 
market leaders, as relevant and competitive market 
participants, potentially generating tens of thousands of 
fraudulently obtained assets in the process. 
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New Cybercrime-Friendly Service Offers Fake 
Documents and Bills on Demand (2016-08-28 15:33) 

The market segment, for, fake, documents, and, bills, 
continues, flourishing, thanks, to, a, vibrant, cybercrime, 
ecosystem, offering, access, to, a, variety, of commoditized, 
underground, market, items, further generating fraudulent 
revenue for the cybercriminals behind it. Thanks to the 
overall availability of DIY (do-it-yourself) type of malware 






















generating tools, and, the, overall prevalence, of money mule 
recruitment scams, allowing, cybercriminals, an easy access 
to basic risk-forwarding, tactics, cybercriminals, continue, 
generating, tens, of thousands, of fraudulent revenue in the 
process. 

In this, post, we'll discuss a newly launched managed 
cybercrime service offering access to fake documents, stolen 
credit cards, and, fake, bills, and, discuss, in-depth, the 
tactics, techniques, and procedures, of, the, cybercriminals 
behind it. 
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The service is currently offering fake documents for Australia, 
Belgium, Brazil, Canada, Denmark, Estonia, Finland, France, 
Germany, Greece, Italy, India, Netherlands, Norway, Latvia, 
Lithuania, Poland, Romania, Slovakia, Slovenia, Sweden, 
United Kingdom, USA, Russia, and fake bills for, Australia, 
Austria. Canada, Czech Republic, Estonia, France, Finland, 
Germany, Irland, Italy, United Kingdom, Latvia, Norway, 
Romania, Slovakia, Sweden, Switzerland, USA, Spain, Russia, 
France, Ukraine. 




We'll continue monitoring the market segment for fake 
documents, and, post, updates, as soon, as, new, 
developments, take place. 

This post has been reproduced from [IJDancho 
Danchev's blog. Follow him [2Jon Twitter. 

1. http://ddanchev.blo as pot.com/ 

2. https://twitter.com/dancho_danchev 
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Managed Hacked PCs as a Service Type of 
Cybercrime-friendly service Spotted in the Wild 
(2016-08-28 18:38) With the cybercrime ecosystem, 
persistently, supplying, new, malware, releases, 
cybercriminals continue occupying multiple market 
segments, within, the, cybercrime, ecosystem, generating, 
tens, of, thousands, of fraudulent revenue, in, the, process, 
potentially, empowering, new market entrants, with, the, 
necessary, tools, and, know-how, to, continue, launching, 
related, malicious, attacks, potentially, generating, tens, of, 
thousands, of fraudulent, revenue, in, the, process, while, 
targeting, users, internationally. 

In this, post, we'll profile a newly, launched, managed hacked 
PCs, as, a, service, type, of cybercrime-friendly, service, and, 
discuss, in, depth, the, tactics, techniques, and, procedures, 
of, the, cybercriminals, behind it. 
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Next to the overall availability of malware infected hosts 
empowering novice cybercriminals with the necessary tools 
and know, to, conduct, related, malicious attacks, 
cybercriminals, often, rely, on basic, market segmentation, 
approaches, further, taking, advantage, of the, affected, 
users, to, launch, related, managed cybercrime-friendly, 
type, of, managed, services. 
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The service is currently offering access to malware-infected 
hosts, in, the United States, Italy, France, Spain, Brazil, 
Argentina, and Poland, further, empowering, novice, 
cybercriminals, with, the, necessary, tools, and, know-how, 
to, continue, launching, related, malicious attacks. 

32 

We'll continue monitoring, the, market, segment, for, hacked 
PCs, and, post, updates, as, soon, as, new developments, 
take, place. 

This post has been reproduced from [IJDancho 
Danchev's blog. Follow him [2Jon Twitter. 

1. httD://ddanchev.blo as DOt.com/ 

2. httDs://twitter.com/dancho_danchev 
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Managed SWF Injection Cybercrime-friendly Service 
Fueis Growth Within the Maivertising Market 
Segment (2016-08-29 11:58) 

Cybercriminals, continue, launching, new, cybercrime- 
friendly, services, aiming, to, diversify, their, portfolio, of, 
fraudulent, services, while, earning, tens, of, thousands of 
fraudulent revenue in the process. Thanks, to, a vibrant, 
cybercrime ecosystem, and, the, overall, availability, of, DIY 
(do-it-yourself) type of, malicious, software, generating, tools, 
cybercriminals, continue, diversifying, their, portfolio, of. 









fraudulent, services, while, earning, tens, of, thousands, of, 
fraudulent, revenue, in, the, process. 

Largely, relying, on, a diversified, set, of, tactics, techniques, 
and, procedures, cybercriminals, often, rely, on, automated, 
and, systematic, compromise, of, vulnerable, Web sites, for, 
the, purpose, of, active, traffic, acquisition, tactics, to hijack, 
intercept, and, monetize, the, acquired, traffic, for, the, 
purpose, of, earning, fraudulent, revenue, in, the, process. 
Thanks, to, a, vibrant, cybercrime-friendly, ecosystem, 
cybercriminals, continue, actively, hijacking, intercepting, 
and, monetizing, the, acquired, traffic, for, the, purpose, of, 
earning, fraudulent, revenue, in, the, process. 

In, this, post, we'll discuss, a, newly, launched, managed SWF 
injecting, type, of, cybercrime-friendly, service 
(108.162.197.62), provide actionable, intelligence, on, the, 
infrastructure, behind, it, and, discuss, in-depth, the, tactics, 
techniques, and, procedures, of, the, cybercriminals, behind 
it. 

Malicious MD5s known to have been downioaded 
from the same C &C server iP (108.162.197.62): MD5: 
738ef8e826b5f9070f555dc8d5e3320f 

MD5: 8dddfldl786ff72adc60057305f4f2c9 

MD5: 0042ef6bl51d68824999ed27e320ab7b 

MD5: ea0f806840a8fl765994d2941d24al8a 

MD5: 9d0e32a4fld4fb348f70f235e9731363 

Reiated maiicious MD5s known to have phoned back 
to the same C &C server iP (108.162.197.62): MD5: 
4el08296flld99e56be375dcab2e03d4 



MD5: 8f696a2995aa56be5a7fe6ac8639e94a 


MD5: 2aa4fedd2626f4a210dl3a356cf721al 

MD5: 822606bb2f5a86bd20e4dlll705c9e99 

MD5: 6267650eb343bclfb063233aaf398c9a 

The, service, is, currently, offering, basic, type, of, account, 
registration, process, priced, at $100, and, premium, type, of, 
account, registration, process, priced, at, $1,000. 

We'll continue, monitoring, the, market, segment, for, 
malvertising, type, of, managed, cybercrime-friendly, 
services, and, post, updates, as, soon, as, new, 
developments, take, place. 

This post has been reproduced from [IJDancho 
Danchev's blog. Follow him [2Jon Twitter. 
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1. httD://ddanchev.blo as DOt.com/ 

2. httDs://twitter.com/dancho_danchev 
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New Service Offerring Fake Documents on Demand 
Spotted in the Wiid (2016-12-21 14:08) In, a, 

cybercrime, ecosystem, dominated, by, multiple, 
underground, market, participants, and, hundreds, of. 





fraudulent, propositions, cybercriminals, continue, 
successfully, monetizing, access, to, malware-infected, hosts, 
for, the, purpose, of, earning, fraudulent, revenue, in, the, 
process, largely, relying, on, a, set, of, DIY (do-it-yourself), 
managed, cybercrime-friendly, services, successfully, 
monetizing, access, to, malware-infected, hosts, for, the, 
purpose, of, earning, fraudulent, revenue, in, the, process. 

We've recently, intercepted, a, newly, launched, managed, 
on, demand, underground, market, type, of, service, 
proposition, offering, access, to, fake, documents, and, IDs, 
successfully, empowering, novice, cybercriminals, with, the, 
necessary, tactics, techniques, and, procedures, for, the, 
purpose, of, commiting, fraudulent, activities, while, earning, 
fraudulent, revenue, in, the, process, successfully, 
monetizing, access, to, malware-infected, hosts, while, 
earning, fraudulent, revenue, in, the, process. 

In, this, post, we'll, profile, the, service, provide, actionable, 
intelligence, on, the, infrastructure, behind, it, and, discuss, 
in-depth, the, tactics, techniques, and, procedures, of, the, 
cybercriminals, behind, it. 
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In, a, cybercrime, ecystem, populated, by, hundreds, of, 
fraudulent, propositions, cybercriminals, continue, actively, 
launching, managed, cybercrime-friendly, services, 
successfully, monetizing, access, to, malware-infected, hosts, 
while, earning, fraudulent, revenue, in, the, process. Largely, 
relying, on, a, diverse, set, of, tactics, techniques, and, 
procedures, cybercriminals, continue, successfully, 
launching, managed, cybercrime-friendly, services, 
successfully, empowering, novice, cybercriminals with, the, 
necessary, tactics, techniques, and, procedures, for, the, 
purpose, of, earning, fraudulet, revenue, in, the, process, 
while, successfully, monetizing, access, to, malware-infected 
hosts, successfully, earning, fraudulent, revenue, in, the, 
process. 









The, market, segment, for, fake, IDs, and, fake, documents, 
continues, flourishing, largely, thanks, to, a, diverse, set, of, 
underground, market, segment, cybercrime-friendly, 
managed, services, successfully, empowering, novice, 
cybercriminals, with, the, necessary, tactics, techniques, and, 
procedures, to, fruther, commit, cybercrime, while, earning, 
fraudulent, revenue, in, the, process, while, successfully, 
monetizing, access, to, malware-infected, hosts. In, a, market, 
segment, dominated, by, commiditized, underground, 
market, cybercrime-friendly, propositions, cybercriminals, 
continue, actively, populating, the, market, segment, for, 
fake, IDs, and, fake, documents, with, hundreds, of, 
fraudulent, propositions, successfully, empowering, novice, 
cybercriminals, with, the, necessary, tactics, techniques, and, 
procedures, to, further, commit, fraudulent, activity, while, 
earning, fraudulent, revenue, in, the, process. 

We'll, continue, monitoring, the, market, segment, for, fake, 
documents, and, IDs, and, post, updates, as, soon, as, new, 
developments, take, place. 

Related posts: 
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Historical OSINT - Spamvertised Client-Side Exploits 
Serving Adult Content Themed Campaign (2016-12-23 
06:47) 

There's no such thing as free porn, unless there are client- 
side, exploits, served. 

We've, recently, intercepted, a, currently, circulating, 
malicious, spam, campaign, enticing, end, users, into, 
clicking, on, malware-serving, client-side, exploits, 
embedded, content, for, the, purpose, of, affecting, a, 
socially, engineered, user"s, host, further, monetizing. 


























access, by, participating, in, a, rogue, affiliate-network, 
based, type, of, monetizing, scheme. 


In, this, post, we'll, profile, the, campaign, provide, 
actionable, intelligence, on, the, infrastructure, behind, it, 
and, discuss, in-depth, the, tactics, techniques, and, 
procedures, of, the, cybercriminals, behind, it. 

Sample, malicious, URL, known, to, have, 
participated, in, the, campaign: 

hxxp://jfkweb. chez. com/HytucztXRs. html? 

-> 

hxxp://aboutg. dothome. co. kr/bbs/theme 

_l.php 

-> 

http://aboutg. dothome. co. kr/bbs/theme 

_ 1. php ?s=h vqCgoLEI 
&id=6 


-> 

http.V/aboutg. dothome. co. kr/bbs/theme _1 _1 _ l.php ? 
s=hvqCgoLEI &id=14 -> hxxp://meganxoxo.com - 



74.222.13.2 


- associated, name, servers: nsl.tube310.info; 
ns2.tube310.info - 74.222.13.24 

Parked there (74.222.13.2) are aiso: 

hxxp://e-leaderz.com - Email: seoproinc(g)gmail.com 

hxxp://babes4you.info - 74.222.13.25 

hxxp://tubexxxx.info 

hxxp://my-daddy.info - 74.222.13.25 

Reiated, maiicious, URLs, known, to, have, 
participated, in, the, campaign: 

hxxp://eroticahaeven.info 

hxxp://freehotbabes.info 
hxxp://freeporn portal, info 
hxxp://hot-babez.info 
hxxp ://sex-sexo. i nfo 
hxxp://tube310.info 
hxxp://tube323.info 

The expioitation structure is as foiiows: 

hxxp://meganxoxo. com/xox/go. php ?sid=6 
-> 

hxxp://kibristkd. org. tr/hasan-ikizer/indexOl .php 



hxxp://fdl a234sa. com/js 


79.135.152.26 

-> 

hxxp://asf356ydc.com/qual/index.php 


CVE- 

2008-2992; 

CVE-2009-0927; 

CVE-2010-0886 

-> 

hxxp://asf356ydc. com/qual/52472f502b9688 

d3326a32ed5ddd5d2c.js 

-> 

hxxp://asf356ydc. com/qual/abe9c321312b206bffa 798ef9d5b 
6a9b.php?uid=206 
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hxxp://l 88.243.231.39/public/qual.jar 
-> 

hxxp://asf356ydc.com/qual/load.php/0a358- 
4217553d6fccbd74cfb73e954b6?fo 
rum=thread 

Jd 

-> 

hxxp://asf356ydc. com/do wnload/stat.php 
-> 

hxxp://asf356ydc. com/do wnload/load/load. exe 

Related, malicious, URLs, known, to, have, 
participated, in, the, campaign: 

hxxp://jfkweb.chez.com/frank4.html - CVE-2010-0886 

- hxxp://jfkweb.chez.com/bucl2.html 

- hxxp://jfkweb.Chez.com/4.html 

- hxxp://wemhkr3t4z.com/qual/loacl/myexebr.exe 

- hxxp://asf356yclc.com/clownloacl/inclex.php 

- hxxp://89.248.111.71/qual/loacl.php?forum=jxp &ql 
58 

- hxxp://asf356yclc.com/qual/inclex.php 



Related, malicious, URIs, known, to, have, 
participated, in, the, campaign: 

hxxp://qual/10964108e3afab081edl986cde437202.js 

hxxp://qual/768a83ea36dbd09f995a97c99780d63e.php? 
spn = 2 &uid = 213393 & hxxp://qual/index.php?browser 
_version=6.0 &uid=213393 &browser=MSIE &spn = 2 

Related, malicious, URLs, known, to, have, 
participated, in, the, campaign: 

hxxp://download/banner.php?spl=javat 

hxxp://download/jl _ke.jar 
hxxp://download/j2 _93.jar 

parked on 89.248.111.71, AS45001, Interdominios _ono 
Grupo Interdominios S.A. 

wemhkr3t4z.com - Email: fole(g)fox.net - MD5: 
3b375fc53207elf54504d4b038d9fe6b Related, 
malicious, MD5s, known, to, have, participated, in, 
the, campaign: hxxp://aIhatester.com/cp/file.exe- 
204.11.56.48; 204.11.56.45; 8.5.1.46; 208.73.211.230; 
208.73.211.247; 208.73.211.249; 208.73.211.246; 
208.73.211.233; 208.73.211.238; 208.73.211.208 

Known, to, have, phoned, back, to, the, same, 
malicious, C &C, server, IPs, are, also, the, following, 
malicious, MD5s: 

MD5: 89fb419120dl443e86d37190c8f42ae8 
MD5: 3194e6282b2e51ed4efl86ce6125ed73 
MD5: 7f42da8b0f8542a55e5560e86c4df407 


MD5: f8bdc841214ae680a755b2654995895e 



MD5: ed8062el52ccbel4541d50210f035299 

Once, executed, a, sample, malware (MD5: 
89fb419120dl443e86d37190c8f42ae8), phones, 
back, to, the, following, C &C, server, IPs: 

hxxp://gremser.eu 

hxxp://bibliotecacenamec.org.ve 

hxxp://fbpei ntures.com 

hxxp://postgil.com 

hxxp://veruml.home.pl 

hxxp://przed wislocze.internetdsl.pl 

hxxp://isku rders.webkursu.net 

hxxp://pen nthaicafe.com.au 

hxxp://mothereng ineering.com 

hxxp://kru poonsak.com 

Once, executed, a, sample, malware (MD5: 
3194e6282b2e51ed4efl86ce6125ed73), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://get.enomenalco.club 

hxxp://promos-back.peerdlgo.info 

hxxp://get.cdzhugashvili.bid 

hxxp://doap.ctagonallygran.bid 

hxxp://get.gunnightmar.club 



hxxp://huh.adowableunco.bid 

hxxp://slibby.ineddramatiseo.bid 
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Once, executed, a, sample, malware (MD5: 
7f42da8b0f8542a55e5560e86c4df407), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://acemog lusucuklari.com.tr 

hxxp://a-bring.com 

hxxp://tn69abi.com 

hxxp://gim8.pl 

hxxp://sso.an btr.com 

Once, executed, a, sample, malware (MD5: 
f8bdc841214ae680a755b2654995895e), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://dtrack.seed ls.com 

hxxp://api.v2.secdls.com 

hxxp://a pi. v2.sslsecurel.com 

hxxp://a pi. v2.ssisecure2.com 

hxxp://api.v2.ssisecure3.com 

hxxp://a pi. v2.ssisecure4.com 

hxxp://api.v2.ssisecure5.com 

hxxp://api.v2.ssisecure6.com 




hxxp://a pi. v2.sslsecure7.com 
hxxp://api.v2.sslsecure8.com 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://v00cl00.org/nocl32/grabber.exe - - 67.215.238.77; 
67.215.255.139; 184.168.221.87 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, C &C, server, IPs 
(67.215.238.77): MD5: 
1233c86cl3ab0081b69977clbc92f238cl0 

Known, to, have, responded, to, the, same, 
malicious, IPs, are, also, the, following, malicious, 
domains: hxxp://blog.symantecservice37.com 

hxxp://agoogie.in 

hxxp://aciv.antivi rup.com 

hxxpV/cdind.anti virup.com 

Once, executed, a, sample, malware, phones, back, 
to, the, following, C &C, server, IPs: 

hxxp://v00d00.org/nod32/update.php 

Known, to, have, responded, to, the, same, 
malicious, IPs (67.215.255.139), are, also, the, 
following, malicious, domains: 

hxxpV/ienovoserve.trickip.net 

hxxpV/proxy.wikaba.com 

hxxp://th ink.jkub.com 



hxxp://u pgrate.freeddns.com 
hxxp://webproxy.sendsmtp.com 
hxxp://yote.del lyou.com 
hxxp://lostself.dyndns.info 
hxxp://dellyou.com 
hxxp://mtftp.freetcp.com 
hxxp://ftp.adobe.acmetoy.com 
hxxp://ti meout.myvnc.com 
hxxp://fash ion.servehalflife.com 
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Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(67.215.255.139): 

MD5: e76aa56b5ba3474dda78bf31ebfle6c0 

MD5: 4de5540e450e3el8a057f95d20e3d6f6 

MD5: 346a605c60557e22bf3f29a61df7cd21 

MD5: ae9fefda2c6d39bclcec36cdf6cle6c4 

MD5: da84fld6c021b55b25ead22aae79f599 

Known, to, have, responded, to, the, same, 
malicious, C &C, server, IPs (184.168.221.87), are, 
also, the, following, malicious, domains: 


hxxp://teltrucki ng.com 



hxxp://capecoraldi ning.org 
hxxp://ca rsforsaletoronto.com 
hxxp://joeyboca.com 
hxxp://meeraamacids.com 
hxxp://orangepotus.com 
hxxp://pal merhardware.com 
hxxp://rai I roadtohell.com 

Related, malicious, MD5s, known, to, have, phoned, 
back, the, same, malicious, C &C, server, IPs 
(184.168.221.87):MD5: 

037f8120323f2ddff3c806185512538c 

MD5: 44f0e8fe53a3b489cb5204701fal773d 

MD5: 8a053e8d3e2eafc27be9738674d4d5b0 

MD5: 9efc79cd75d23070735da219c331fe4d 

MD5: ed81b9flb72e31dfl040ccaf9ed4393f 

Once, executed, a, sample, malware (MD5: 
037f8120323f2ddff3c806185512538c), phones, back, 
to, the, following, C &C, server, IPs: 

hxxp://porno-kuba.net/emo/ld.php?v=l &rs= 1819847107 
&n = l &uid = l 

Once, executed, a, sample, malware, (MD5: 
44f0e8fe53a3b489cb5204701fal773d), phones, back, 
to, the, following, C &C, server, IPs: 



hxxp://mhc.ir 

hxxp://naphoocl ub.com 

hxxp://mdesigner.ir 

hxxp://nazarcafe.com 

hxxp://meand love.com 

hxxp://nakhonsawangames.com 

hxxp://mevlanacicek.com 

hxxp://meeraprabhu.com 

hxxp://micr.ae 

hxxp://my hyderabadads.com 

hxxp://cup-muangsuang.net 

Sample, malicious, URLs, known, to, have, 
participated, in, the, campaign: 

hxxp://portinilwo.com/nhjq/n09230945.asp 

- hxxp://portinilwo.com/botpanel/sell2.jpg 

- hxxp://portinilwo.com/boty.dat 

- hxxp://91.188.60.161/botpanel/sell2.jpg 
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- hxxp://91.188.60.161/botpanel/ip.php 

Once, executed, a, sample, malware, phones, back, 
to, the, following, C &C, server, IPs: asf356ydc.com - 
MD5: 3b375fc53207elf54504d4b038d9fe6b 



Related, malicious, domains, known, to, have, 
participated, in, the, campaign: dsf356ydc.co 

kaljv63s.com 

sadkajt357.com 

We'll, continue, monitoring, the, fraudulent, infrastructure, 
and, post, updates, as, soon, as, new, developments, take, 
place. 
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Historical OSINT - Celebrity-Themed Blackhat SEO 
Campaign Serving Scareware and the Koobface 
Botnet Connection (2016-12-23 08:02) 

In, a, cybercrime, dominated, by, fraudulent, propositions, 
historical, OSINT, remains, a, crucial, part, in, the, process, of, 
obtaining, actionable, intelligence, further, expanding, a, 
fraudulent, infrastructure, for, the, purpose, of, establishing, 
a, direct, connection, with, the, individuals, behind, it. 
Largely, relying, on, a, set, of, tactics, techniques, and, 
procedures, cybercriminals, continue, further, expanding, 
their, fraudulent, infrastructure, successfully, affecting. 









hunreds, of, thousands, of, users, globally, further, earning, 
fraudulent, revenue, in, the, process, of, committing, 
fraudulent, activity, for, the, purpose, of, earning, fraudulent, 
revenue, in, the, process. 

In, this, post, we'll, discuss, a, black, hat, SEO (search engine 
optimization), campaign, intercepted, in, 2009, provide, 
actionable, intelligence, on, the, infrastructure, behind, it, 
and, discuss, in-depth, the, tactics, techniques, and, 
procedures, of, the, cybercriminals, behind, it, successfully, 
establishing, a, direct, connection, with, the, Koobface, gang. 

The, Koobface, gang, having, successfully, suffered, a, major, 
take, down, efforts, thanks, to, active, community, and, ISP 
(Internet Service Provider), cooperation, has, managed, to, 
successfully, affect, a, major, proportion, of, major, social, 
media, Web, sites, including, Facebook, and, Twitter, for, the, 
purpose, of, further, spreading, the, malicious, software, 
served, by, the, Koobface, gang, while, earning, fraudulent, 
revenue, in, the, process, of, monetizing, the, hijacked, and, 
acquired, traffic, largely, relying, on, the, use, of, fake, 
security, software, and, the, reliance, on, a, fraudulent, 
affiliate-network, based, type, of, monetizing, scheme. 
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Largely, relying, on, a, diverse, set, of, traffic, acquisition, 
tactics, including, social, media, propagation, black, hat, SEO 

(search engine optimization), and, client-side, exploits, the, 
Koobface, gang, has, managed, to, successfully, affect, 
hundreds, of, thousands, of, users, globally, successfully, 
populating, social, media, networks, such, as, Facebook, and, 
Twitter, with, rogue, and, bogus, content, for, the, purpose, of, 
spreading, malicious, software, and, earning, fraudulent, 
revenue, in, the, process, largely, relying, on, a, diverse, set, 
of, traffic, acquisition, tactics, successfully, monetizing, the, 
hijacked, and, acquired, traffic, largely, relying, on, the, use, 
of, affiliate-network, based, traffic, monetizing, scheme. 












Let's, profile, the, campaign, provide, actionable, 
intelligence, on, the, infrastructure, behind, it, discuss, in- 
depth, the, tactics, techniques, and, procedures, of, the, 
cybercriminals, behind, it, and, establish, a, direct, 
connection, with, the, Koobface, gang, and, the, Koobface, 
botnet's, infrastructure. 

Sample URL, redirection, chain: 

hxxp .-//flash, grywebo we. com/elin5885/? 
x=entry:entry091109-071901 


-> 

http://alicia- 

witt. com/elinl 619/?x=entry:entry091112-185912 
-> 

hxxp://indiansoftwareworld. com/index. php?affid=31700 


213.163.89.56 
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var laOpara ■ (navigator .uaarAgant. tadaaOt |*Oyara*) *• ->11 ? trua t talaa; 
tuactioB CentrelVaraienll ( 
var varaion; 
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try < 

axe * MV ActivaXCbjaet |*Sbockvavariaah.Sbeckvav«riaah.7*|; 
wraioa • axo.CatVartable|*lvvraiBa*]; 

> catch (a) <1 
It I'vartieni i 
tty I 

axo * Mv ActivaXClojact (*8hoc)npavaria«h.8hoc>taavaPla«b.<*)j 
vacaion ■ *VIN i,0.21,0*: 
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Sample, detection, rate, for, a, malicious, 
executable:MD5: bd7419a376f9526719d4251a5dab9465 

Sample, URL, redirection, chain, leading, to, client- 
side, exploits: 

hxxp://loomoom.in/counterjs - 64.20.53.84 - the front page 
says " We are under DDOS attack. Try later". 

hxxp://firefoxfo wner. cn/?pid=l 01s06 


&sid=977111 


-> 


hxxp.y/royalsecurescana. com/scanl/?pid=l 01s6 

&engine=p3T41jTuOTYzLjE3Ny4xNTMmdGltZTOxMjUxNMkNP 

AhN 

Sample, detection, rate, for, a, malicious, executable: 



MD5: a91albb995e999f27ffc5d9aa0ac2ba2 


Once, executed, a, sample, malware, phones, back, 
to: 

hxxp://systemcoreupdate. com/download/timesroman. tif - 
213.136.83.234 

65 


Request Headers 


[GET HTTP/11 


Client 

Accept: apptc<tior>/»"l,eppicabon/xh tm t»xir<,text/htrrl;q^.9,text/plag^;q^.8,«n»9e/png,*r:Q*O.S 
Accept-Owset: tSO-ee59-l,utf-a;q-0.7/;^.3 
Aaept-Encodng: gap,deflate 
Aaept-Language: 

User-Agent: 

Transport 

Conneebon: keep-aftve 
Host: .com 


Transformer | Headers | TextVtew 11 SyntTcW^ | IntageVtew | HexVlew | WebVtew | Auth | Caching | Privacy | Raw | XM. 


3 charCodeA^ t * 4 


var hos« « '104011(lll«211230S6a047S047611$70$980979iiaOi21104$211$30»94097$iia«121704«60»9911000a71* r 
var pid > *58s06*; 
var Sid • •9f93bc'. 

funexion dNT C 

function sNH 0• ( 

var X * nav Array Nath call 3 length / 4 >>, 
for var t • 0 . t < x length. t*M { 

X:ti • J charCodeAt t * 4 3 charCodeAt t * 4 * 1 << i 

1 

return x. 

} 

function IL2 x- { 

var k « nev Array x length . 
for var t • 0 . t < x length. t*t} < 

k t'i • String fromCharCode x|t) . 28S. x t: >>> t ^ 2S5. : 

1 

return k join 

function uVI 3 { 

return 3 . replacei/ 'd d ' d '. g. 
function c ( 

return String fromCharCode c slice 1. *!’>. 


18 . 2SS. x:t 


24 i 2S8 . 


Sample, URL, redirection, chain: 

hxxp://oppp.in/counterjs - 64.20.53.83 - the same message is 
also left " We are under DDOS attack. Try lateT 

hxxp://johnsmith.in/counterjs - 64.20.53.86 

hxxp://gamotoe. in/counter, js 








hxxp://polofogoma.in/counterjs 
hxxp://jajabin. in/counter.js 
hxxp://dahaloho. in/counter, js 
hxxp://gokreman. in/counter, js 
hxxp://freeblogcounter2. com/counter, js 
hxxp://lahhangar. in/counter, js 
hxxp://galorobap. in/counter, js 

Sample, directory, structure, for, the, black, hat, SEO 
(search engine optimization), campaign: 

hxxp://images/include/bmblog 

hxxp://bmblog/ca tegory/art/ 
hxxp://images/style/bmblog 
hxxp://photos/archive/bmblog/ 
hxxp://templates/img/bmblog 
hxxp://phpsessions/bmblog 
hxxp://lndex _archivos/img/bmblog/ 
hxxp://bm blog/category/ha ha ha ha hah/ 
hxxp://gallery/include/bmblog 

Sample, malicious, domains, participating, in, the, 
campaign: 

pcmedicalbilling.com - Email: 
soph iawrobertson(g)pookmai I.com 
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securitytoolnow.com - Email: ronalclmpappas(g)cloclgit.com 

securitytoolsclick.net- Email: ruthcltrafton(g)cloclgit.com 

security-utility.net - Email: 
richarclrmccullough(g)trashy mail.com 

Historically on the same IP were parked the 
following, now responding to 91.212.107.37 domains: 

online-spyware-remover.biz - Email: 
robertsi mon kroon(g)g mai I .com 

online-spyware-remover.info - Email: 
robertsi mon kroon(g)g mail.com 

spyware-online-remover.biz - Email: 
robertsi mon kroon(g)gmai I .com 

spyware-online-remover.com - Email: 
robertsi mon kroon(g)gmai I .com 

spyware-online-remover.info - Email: 
robertsi mon kroon(g)gmai I .com 

spyware-online-remover.net - Email: 
robertsi mon kroon(g)gmai I .com 

spyware-online-remover.org - Email: 
robertsi mon kroon(g)g mail.com 

tubepornonline.biz - Email: robertsimonkroon(g)gmail.com 
tubepornonline.org - Email: robertsimonkroon(g)gmail.com 
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mail.newsecuntytools.net 



Sample, malicious, domains, known, to, have, 
participated, in, the, campaign: 

hxxp://antyspywarestore. com/index.php ?affid=90400 

hxxp://newsecuritytools.net/index.php?affid=90400 - 
78.129.166.11 - Email: joyomcdermott@gmail.com Sample, 
detection, rate, for, a, malicious, executable: 

MD5: 0feffd97ffe3ecc875cfe44b73f5653b 



MD5: a0d9d3127509272369f05c94ab2acfc9 


Naturally, it gets even more interesting, in particular the fact 
the very same robertsimonkroon@gmaii.com used to 
register the domains historically parked at the IP that is 
currently hosting the scareware domains part of the massive 
blackhat SEO campaign - the very same domains ( 
hxxp://firefoxfowner.cn), were also in circulation on Koobface 
infected host, in a similar fashion when the domains used in 
the New York Times malvertising campaign were 
simultaneously used in blackhat SEO campaigns managed 
by the Koobface gang - have not only been seen in July's 
scareware campaigns - but also, has been used to register 
actual domains used as a download locations for the 68 
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scareware campaigns part of the [l]Koobface botnet's 
scareware business model. 

Parked, at, the, same, malicious, IP (91.212.107.37), 
are, also, the, following, malicious, domains: 

hxxp://free-web-down load.com 

hxxp://web-free-down load.com 

hxxp://iq mediamanager.com 

hxxp://oesoft.eu 

hxxp://unsoft.eu 

hxxp://losoft.eu 

hxxp://tosoft.eu 

hxxp://kusoft.eu 

Sample, detection, rate, for, a, malicious, executable: 

MD5: 29ff816c7elll47bb74570c28c4e6103 

MD5: e59b66ebl680c4fl95018b85e6d8b32b 

MD5: b34593d884a0bc7a5adb7ab9d3bl9a2c 

The overwhelming evidence of underground multi-tasking 
performed by the Koobface gang, it's connections to money 
mule recruitment scams, high profile malvertising attacks, 
and current market share leader in blackhat SEO 
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campaigns, made, the, group, a, prominent, market, leader, 
within, the, cybercrime, ecosystem, having, successfully. 



affecting, hundreds, of, thousands, of, users, globally, 
potentially, earning, hundreds, of, thousands, in, fraudulent, 
revenue, in, the, process. 
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Historical OSINT - Zeus and Client-Side Exploit 
Serving Facebook Phishing Campaign Spotted in the 
Wild (2016-12-23 11:29) 

In, a, cybercrime, ecosystem, dominated, by, fraudulent, 
propositions, cybercrimianals, continue, actively, populating, 
their, botnet's, infected, population, with, hundreds, of, 
thousands, of, newly, affected, users, globally, potentially, 
compromising, the, confidentiality, integrity, and, 
availability, of, the, affected, hosts, to, a, multi-tude, of, 
malicious, software, further, earning, fraudulent, revenue, in, 
the, process, of, monetizing, the, affected, botnet's, 
population, largely, relying, on, the, utilization, of, affiliate- 
based, type, of, fraudulent, revenue, monetization, scheme. 

We've, recently, intercepted, a, currently, circulating, 
malicious, spam, campaign, impersonating, Facebook, for, 
the, purpose, of, serving, client-side, exploits, to, socially, 
engineered, users, further, compromising, the, 
confidentiality, integrity, and, availability, of, the, affected, 
hosts, to, a, multi-tude, of, malicious, software, further, 
earning, fraudulent, revenue, in, the, process, of, monetizing, 
the, affected, hosts, largely, relying, on, the, use, of, affiliate- 
based, type, of, fraudulent, revenue, monetizing, scheme. 

In, this, post, we'll, profile, the, campaign, provide, 
actionable, intelligence, on, the, infrastructure, behind it, 
discuss, in-depth, the, tactics, techniques, and, procedures, 
of, the, cybercriminals, behind, it, and, provide, actionable, 
intelligence, on, the, infrastructure, behind, it. 

Sample, URL, exploitation, chain: 

hxxp://auth .facebook.com.megavids.org/id735rp/LoginFaceb 
ook.php 


- hxxp://wqdfr.salefale.com/index.php - 62.193.127.197 



- hxxp://spain.salefale.com/index.php 

Related, malicious, domains, known, to, have, 
participated, in, the, campaign: hxxp://salefale.com - 
112.137.165.114 

- hxxp://countrtds.ru - 91.201.196.102 - Email: 
thru(g)freenetbox.ru 

Sample, detection, rate, for, the, malicious, 
executable: 

MD5:e96c8d23e3b64d79e5el34a9633d6077 
MD5: 19d9cc4d9d512e60f61746ef4c741f09 

Once, executed, a, sample, malware, phones back to: 

hxxp://makotoro.com 

Related, malicious, C &C, server, IPs, known, to, 
have, participated, in, the, campaign: 

hxxp://91.201.196.99 

hxxp://91.201.196.77 

hxxp://91.201.196.101 

hxxp://91.201.196.35 

hxxp://91.201.196.75 

hxxp://91.201.196.76 

hxxp://91.201.196.38 

hxxp://91.201.196.34 

hxxp://91.201.196.37 



Related, malicious, C &C, server, IPs 
(212.175.173.88), known, to, have, participated, in, 
the, campaign: hxxp://downloads.fileserversa.org 

hxxp://down loads.fileserversc.org 

hxxp://down loads.fileserversd.org 
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hxxp://down loads, portodrive.org 
hxxp://down loads.fileserversj.org 
hxxp://down loads.fi leserversk.org 
hxxp://down loads.fi leserversm.org 
hxxp://down loads.fileserversn.org 
hxxp://down loads.fi leserverso.org 
hxxp://down loads.fileserversq.org 
hxxp://down loads.fi leserversr.org 
hxxp://auth .facebook.com.megavids.org 
hxxp://auth.facebook.com.fileserversl.com 
hxxp://auth .facebook.com.legomay.com 
hxxp://auth .facebook.com.crymyway.com 
hxxp://auth .facebook.com.portodrive.net 
hxxp://auth .facebook.com.modavedis.net 
hxxp://auth .facebook.com.migpix.net 



hxxp://auth .facebook.com.legomay.net 
hxxp://auth .facebook.com.crymyway.net 
hxxp://clown loads, megavicls.org 
hxxp://down loads, regzavids.org 
hxxp://down loads.vedivids.org 
hxxp://downloads. restpictures.org 
hxxp://down loads, modavedis.org 
hxxp://down loads.fi leserverst.org 
hxxp://down loads.fileserversu.org 
hxxp://down loads, regzapix.org 
hxxp://down loads, reggiepix.org 
hxxp://down loads, migpix.org 
hxxp://down loads, restopix.org 
hxxp://down loads, legomay.org 
hxxp://down loads.vediway.org 
hxxp://down loads.compoway.org 
hxxp://down loads, restway.org 
hxxp://down loads.crymyway.org 
hxxp://down loads.fileserversa.com 
hxxp://down loads.fi leserversb.com 



hxxp://down loads.fi leserversc.com 
hxxp://down loads.fileserversd.com 
hxxp://down loads.fi leserverse.com 
hxxp://down loads.fi leserversf.com 
hxxp://down loads.fileserversg.com 
hxxp://down loads.fileserversh.com 
hxxp://down loads.fileserversi.com 
hxxp://down loads.fileserversj.com 
hxxp://down loads.fi leserversk.com 
hxxp://down loads.fileserversl.com 
hxxp://down loads.fi leserversm.com 
hxxp://down loads.fileserversn.com 
hxxp://down loads.fi leserverso.com 
hxxp://down loads.fi leserversp.com 
hxxp://down loads.fileserversq.com 
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hxxp://down loads.fi leserversr.com 
hxxp://down loads, regzavids.com 
hxxp://down loads.vedivids.com 
hxxp://down loads, restpictures.com 



hxxp://down loads, modavedis.com 
hxxp://down loads.fi leserverss.com 
hxxp://down loads.fi leserverst.com 
hxxp://down loads.fileserversu.com 
hxxp://down loads, regzapix.com 
hxxp://down loads, reggiepix.com 
hxxp://down loads, migpix.com 
hxxp://down loads, legomay.com 
hxxp://down loads.vediway.com 
hxxp://down loads.compoway.com 
hxxp://down loads.crymyway.com 
hxxp://down loads.fileserversa.net 
hxxp://down loads.fi leserversb.net 
hxxp://down loads.fi leserversc.net 
hxxp://down loads.fileserversd.net 
hxxp://down loads.fi leserverse.net 
hxxp://down loads, ported rive, net 
hxxp://down loads.fi leserversf.net 
hxxp://down loads.fileserversg.net 
hxxp://down loads.fileserversh.net 



hxxp://down loads.fileserversi.net 
hxxp://down loads.fileserversj.net 
hxxp://down loads.fi leserversk.net 
hxxp://down loads.fileserversl.net 
hxxp://down loads.fileserversm.net 
hxxp://down loads.fileserversn.net 
hxxp://down loads.fi leserverso.net 
hxxp://down loads.fi leserversp.net 
hxxp://down loads.fileserversq.net 
hxxp://down loads.fi leserversr.net 
hxxp://down loads, regzavids.net 
hxxp://down loads.vedivids.net 
hxxp://down loads.tastyfiles.net 
hxxp://down loads, restpictures.net 
hxxp://down loads, modavedis.net 
hxxp://down loads.fi leserverss.net 
hxxp://down loads.fi leserverst.net 
hxxp://down loads.fileserversu.net 
hxxp://down loads, regzapix.net 
hxxp://down loads, reggiepix.net 



hxxp://down loads, migpix.net 
hxxp://down loads, legomay.net 
hxxp://down loads.vediway.net 
hxxp://down loads.compoway.net 
hxxp://down loads, restway. net 
hxxp://down loads.crymyway.net 
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We'll, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, developments, take, place. 
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Historical OSINT - Haiti-themed Blackhat SEO 
Campaign Serving Scareware Spotted in the Wild 
(2016-12-23 12:53) 

In, a, cybercrime, ecosystem, dominated, by, fraudulent, 
propositions, cybercriminals, continue, actively, spreading, 
malicious, software, largely, relying, on, a, pre-defined, set, 
of, compromised, hosts, for, the, purpose, of, spreading, 
malicious, software, further, expanding, a, specific, botnet's, 
infected, population, further, earning, fraudulent, revenue, 
in, the, process, of, monetizing, the, access, to, the, infected, 
hosts, largely, relying, on, an, affiliate-based, type, of, 
monetizing, scheme. 

In, this, post, we'll, profile, a, currently, circulating, malicious, 
black, hat, SEO (search engine optimization), campaign, 
provide, actionable, intelligence, on, the, infrastructure, 
behind, it, and, discuss, in-depth, the, tactics, techniques, 
and, procedures, of, the, cybercriminals, behind, it. 



Sample, portfolio, of, affected, Web, sites: 

hxxp://austi nluce.co.uk 
hxxp://nau katanca.co.uk 
hxxp://truenorth innovation.co.uk 
hxxp://robsonsofwolsi ngham.co.uk 
hxxpV/daviddewphotog raphy.co.uk 
Sample, URL, redirection, chain: 
hxxp://sciencefi rst.com/? red = haiti-earthquake-donate 

- hxxp://otsosute.freehostia.com/c.html 

- hxxp://scan-now24.com/go.php?id = 2022 &key=4c69e59ac 
&d = l 

Sample, URL, redirection, chain: 

hxxp://lipsticpi.ru/sm/r.php 

- hxxp://uscaau.com/back.php 

- hxxp://seku ritylistsite.com/hitin. php? I and = 20 
&affid = 94801 

- hxxp://my premiumantyspywarepill.com/hitin. php? I and = 20 
&affid = 94801 

- hxxp://mypremiumantyspywarepill.com/index.php? 
affid = 94801 

Sample, detection, rate, for, a, sample, malicious, 
executable: 



MD5: ebc956abadefdac794ebcdl898ea07cf 


Sample, detection, rate, for, a, sample, malicious, 
executable: 

MD5: d65a5dlab98bd690dccd07cb6eebcba3 

Once, executed, a, sample, malware, phones, back, 
to, the, following, C &C, server, IPs: 

hxxp://mypremi umantyspywarepill.com/in.php7a1Tid=94801 

hxxp://greatnorthwill.com/?mod=vv &i = l &id = ll-18 

Related, malicious, domains, known, to, have, 
participated, in, the, campaign: 

hxxp://getholidaypresent0.com - 204.12.225.83 

hxxp://gethol idaypresent2.com 

hxxp://gethol idaypresent3.com 

hxxp://scan-now22.com 

hxxp://scan-now23.com 

hxxp://scan-now24.com 

hxxp://santacl aus4.com 
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hxxp://gethol idaypresent5.com 

hxxp://gethol idaypresent7.com 

Related, malicious, domains, known, to, have, 
participated, in, the, campaign: 

hxxp://freeantyviruspillblog.com - 213.163.91.240 



hxxp://newgoodantyspy warepill.com 
hxxp://my premiumantyspywarepill.com 
hxxp ://freegoociantyvi ruspiii.com 
hxxp ://freeantyspy warepiiishop.com 
hxxp ://thevi rustooibox.com 

We'ii, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, deveiopments, take, piace. 
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Historical OSINT - Massive Black Hat SEO Campaing 
Serving Scareware Spotted in the Wild (2016-12-24 
05:47) in, a, cybercrime, ecosystem, dominated, by, 
frauduient, propositions, cybercriminais, continue, activeiy, 
acquiring, and, hijacking, traffic, for, the, purpose, of, 
converting, it, to, maiware-infected, hosts, whiie, earning, 
frauduient, revenue, in, the, process, of, monetizing, the, 
hijacked, and, acquired, traffic, iargeiy, reiying, on, a, set, of, 
tactics, techniques, and, procedures, successfuiiy, earning, 
frauduient, revenue, in, the, process, of, monetizing, the, 
hijacked, and, acquired, traffic, iargeiy, reiying, on, an, 
affiiiate-based, type, of, monetizing, scheme. 

We've, recentiy, intercepted, a, currentiy, circuiating, 
maiicious, biack, hat, SEO (search engine optimization), 
campaign, serving, fake, security, software, aiso, known, as, 
scareware, successfuiiy, monetizing, the, hijacked, and, 
acquired, traffic, iargeiy, reiying, on, the, utiiization, of, 
affiiiate-network, based, type, of, monetizing, scheme. 

in, this, post, we'ii, profiie, the, campaign, provide, 
actionabie, inteiiigence, on, the, infrastructure, behind, it. 



and, discuss, in-depth, the, tactics, techniques, and, 
procedures, of, the, cybercriminals, behind, it. 

Sample, portfolio, of, compromised, Web, sites: 

hxxp://y ushikai.co.uk 
hxxp://www. heart-2-heart.nl 
hxxp://www.stichti ngkhw.nl 
hxxp://bu rgessandsons.com 
hxxp://marsmel low. info 
hxxp://broolz.co.uk 
hxxp://bodyscope.co.uk 
hxxp://janschnoor.de 
hxxp://good I uckflowers.com 
hxxp://www.frank-cari I lo.com 
hxxp://www.stri jkvrij.com 
hxxp ://www.fotosi ast. n I 
hxxp://www.sen beauty.nl 
hxxp ://www. men no. info 
hxxp ://www. ku I .f m 
Sample, URL, redirection, chain: 
hxxp://onotole.iblogger.org/2.html 



199.59.243.120; 

205.164.14.79; 

199.59.241.181 


> 

hxxp://mycommerci alssecuritytool.com/index.php? 
affid = 34100 

89.248.171.48 

Emaii: 

Kathryn.D.Jennings(g)g maii.com 

Related, malicious, domains, known, to, have, 
participated, in, the, campaign: 

hxxp://myatmoe. ibiogger.org 

hxxp://creditreport.ibiogger.org 
hxxp://moviedd iheaven.ibiogger.org 
hxxp://cv-bruno-brocas. ibiogger.org 
hxxp://isi ife.ibiogger.org 
hxxp://i biogger.ibiogger.org 



hxxp://d ressshirt.iblogger.org 
hxxp://a 11 ians.iblogger.org 
hxxp://rapid-weight-ioss. ibiogger.org 
hxxp://breastaugm. ibiogger.org 
hxxp://u iia.ibiogger.org 
hxxp://oh-tv. ibiogger.org 
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hxxp://brudnopis.ibiogger.org 
hxxp://iearneng iish.ibiogger.org 
hxxp://motivatedcats. ibiogger.org 
hxxp://robert.ibiogger.org 
hxxpV/testforask. ibiogger.org 
hxxp://poormanguides.i biogger.org 
hxxp://gei begabein.ibiogger.org 
hxxp://nuagerouge. ibiogger.org 
hxxp://chicos-on-i ine.ibiogger.org 
hxxp://hy pnosisworid.ibiogger.org 
hxxp://ten nis.ibiogger.org 
hxxp://i bu.ibiogger.org 
hxxpV/turkifsa. ibiogger.org 



hxxp://amandacooper. iblogger.org 
hxxp://tw. iblogger.org 
hxxp://whedon. ibiogger.org 
hxxp://han. ibiogger.org 
hxxp://scciab. ibiogger.org 
hxxp://besftfoodbiogger. ibiogger.org 
hxxp://premi ummenderacunt.ibiogger.org 
hxxpV/seobook. ibiogger.org 
hxxpV/bestjackets.ibiogger.org 
hxxp://kidszone. ibiogger.org 
hxxp://i iker2fb.ibiogger.org 
hxxp://vi pin. ibiogger.org 
hxxp://i nfobaru.ibiogger.org 
hxxp://paiermo.ibiogger.org 
hxxp://forum. bay.de. ibiogger.org 
hxxp://on iine-guard.ibiogger.org 
hxxp://j uhjsd.ibiogger.org 
hxxp://asu iii.ibiogger.org 
hxxp://youtu betranscription.ibiogger.org 
hxxp://praza.ibiogger.org 



hxxp://free-worlds. iblogger.org 
hxxp://mlm. iblogger.org 
hxxp://myiesi<adusaie. ibiogger.org 
hxxp://n injapearis.ibiogger.org 
hxxp://bassian. ibiogger.org 
hxxp://d3-f2 l-w-14.ibiogger.org 
hxxpV/mik. ibiogger.org 
hxxp://pe.ibiogger.org 
hxxp://con nor54321.ibiogger.org 
hxxp://smx. ibiogger.org 
hxxp://l 7fire.ibiogger.org 
hxxp://g reatestbatties.ibiogger.org 
hxxp://generaisurgery. ibiogger.org 
hxxp://megafon. ibiogger.org 
hxxp://dasefx.ibiogger.org 
hxxp://ysofii. ibiogger.org 
hxxp://priv8. ibiogger.org 
78 

hxxpV/ka hramanmaras.ibiogger.org 
hxxp://kaoojcji. ibiogger.org 



hxxp://i nfobaru.iblogger.org 
hxxp://dla-kobiet. iblogger.org 
hxxp://ka rinahart.iblogger.org 
hxxp://mari ucciaeiasuaombra.ibiogger.org 
hxxp://signi nbay.cie.ibiogger.org 
hxxp://pitstop.ibiogger.org 
hxxp://coioriess. ibiogger.org 
hxxp://ci irectorio.ibiogger.org 
hxxp://ocienavi va.ibiogger.org 
hxxp://e-money.i biogger.org 
hxxp://ci igicron.ibiogger.org 
hxxp://siotomania-hackers. ibiogger.org 
hxxp://biazetech. ibiogger.org 
hxxp://biazetech. ibiogger.org 
hxxp://bestoksriy. ibiogger.org 
hxxp://teamsite. ibiogger.org 
hxxp://mateapiicacia.ibiogger.org 
hxxp://tmgames. ibiogger.org 
hxxp://nati vephp.ibiogger.org 
hxxp://priv8. ibiogger.org 



hxxp://sharepoi ntdotnetwiki.iblogger.org 

hxxp://nati vephp.ibiogger.org 

hxxp://seobook. ibiogger.org 

hxxp://jawwai.ibiogger.org 

hxxp://tomspiace.ibiogger.org 

hxxp://sh reyo.ibiogger.org 

hxxp://g reatestbatties.ibiogger.org 

hxxp://beityped ia.ibiogger.org 

hxxp://d utcheastindies.ibiogger.org 

hxxp://cramat-satu. ibiogger.org 

hxxp://misc. ibiogger.org 

hxxp://espirito-de-aventu ra.ibiogger.org 

hxxp://tomksoft. ibiogger.org 

hxxp://mymovies. ibiogger.org 

Known, to, have, responded, to, the, same, 
malicious, IP (199.59.243.120) are, also, the, 
following, malicious, domains: 

hxxp://brendsrnzwrn.cuccfree.com 

hxxp://caraccidentiawyerl9.us 

hxxp://coiombi avirtuaitours.com 

hxxp://dai iydigest.cn 



hxxp://d rugaddiction569.us 

hxxp://earnon I ine.cn 

hxxp://epicor.in 

hxxp://glhgk.com 

hxxp://i roopay.com 

hxxp://kajianislam.us 
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Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(199.59.243.120): 

MD5: C7bd669a416a8347aeba6117d0040217 

MD5: ae89e09f52db7f9d69b9b9c40dbf35f9 

MD5: b4399fc8flde723d452b05ec474ca651 

MD5: C779d9f4e9992ad5ffcd2353bb003a51 

MD5: cc6efabb0a26c729fl26bl2be717de47 

Once, executed, a, sample, malware, phones, back, 
to, the, following, C &C, server, IPs: 

hxxp://theworldnews.byethost5.com - 199.59.243.120 

Known, to, have, responded, to, the, same, malicious 
IP (205.164.14.79), are, also, the, following, 
malicious, domains: 

hxxp://fsdq.cn 

hxxp://parked-domain.org 



hxxp://fiverr.hk.tn 
hxxp://hamza nori90.name-iq.com 
hxxpV/postgumtree.uk.tn 
hxxp://caoiiushequ.info 
hxxp://housewi ves.byethost4.com 
hxxp://n uichate.22web.org 
hxxp://3 rtz.byethostl2.com 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(205.164.14.79): 

MD5: cibca66955cac79008f9flcci415ci7e308 

MD5: b452ca519f077307ci68ff034567087cl 

MD5: 70e8c79135b341eac51cia0b5789744ci3 

MD5: a9f64cl404faf4a6fc81564c8ciec22ci9 

MD5: b3737alc34cb705f7ci244c99afcic3a01 

Once, executed, a, sample, malware 
(MD5:dbca66955cac79008f9flcd415d7e308), phones, 
back, to, the, following, C &C, server, IPs: 

hxxp://ibayme.eb2a.com - 205.164.14.79 

Known, to, have, responded, to, the, same, 
malicious, IPs (199.59.241.181), are, also, the, 
following, malicious, domains: 


hxxp://yn919.com 



hxxp://wimp.it 
hxxp://puqiji.com 
hxxp://5 2style.com 
hxxp://007guard.com 
hxxp://10iski. 1000 lmb.com 
hxxp://l 1649. bod isparking.com 
hxxp://l 3.get.themed iafinder.com 
hxxp://134205.aceboard.fr 

Sample, detection, rate, for, a, malicious, executable: 

MD5: f74a744d75c74ed997911d0e0b7e6f67 
80 

Once, executed, a, sample, malware, phones, back, 
to, the, following, C &C, server, IPs: 

hxxp://mycommerci aissecuritytooi.com/in.php7affid = 34100 

Related, malicious, domains, known, to, have, 
participated, in, the, campaign: 

hxxp://protectyou rsystemnowoniine.com 

hxxp://createyou rsecurityoniine.com 
hxxp://commerci aissecuritytoois.com 
hxxp://freec reateyoursecurity.com 

Sample, URL, redirection, chain: 

hxxp://uiions.com/yxg.php?p= - 104.28.22.34 



- hxxp://ppbmv4.xorg.pl/in.php?t=cc &d=04-02-2010 _span 
&h = 

- hxxp://wwwl.nat67go4it.net/?uid = 195 &pid = 3 
&ttl = 5184c614d4b - 89.248.160.161 

- hxxp://wwwl.systemsecure.in/?p= 

Know, to, have, responded, to, same, malicious, C 
&C, server, IP (104.28.22.34), are, also, the, 
following, malicious, domains: 

hxxp://portl andultimate.com 

hxxp://portablemineapplicationsub.tech 

hxxp://i ndirimkuponlarimiz.com 

hxxp://wai kinciosetguys.com 

hxxp://brya ntanaka.com 

hxxp://swisschecki ist.com 

hxxp://census. mnfurs.org 

hxxp://duiuthbeth.xyz 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(104.28.22.34): MD5: 
Ildda0bbd2aef7944f990fcefbc91034 

MD5: d0be24df3078866a277874dad09c98d9 

MD5: 9ba06da9370037fd2ffe525d6164b367 


MD5: 537bd45df702f90585eebab2a8bb3584 



MD5: a9f61e9696ff7ff4bfc34f70549ffdd0 


Once, executed, a, sample, malware 
(MD5:lldda0bbd2aef7944f990fcefbc91034), phones, 
back, to, the, following, C &C, server, IPs: 

hxxp://audio-d irekt.net 

hxxp://servico-i nd.com 

hxxp://saios.net 

hxxp://coopsu permarkt.nl 

hxxp://fruitspot.co.za 

hxxp://vitalur.by 

hxxp://tri nity-works.com 

Once, executed, a, sample, malware 
(MD5:d0be24df3078866a277874dad09c98d9), 
phones, back, to, the, following, C &C, server, IPs: 

hxxp://3asfh.net - 104.28.22.34 

Once, executed, a, sample, malware, 
(MD5:a9f61e9696ff7ff4bfc34f70549ffdd0), phones, 
back, to the, following, malicious, C &C, server, IPs: 

hxxp://l ink-1 ist-uk.com 
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hxxp://racknstackwarehouse.com.au 
hxxp://zeronet.co.jp 
hxxp://sun-ele.co.jp 



hxxp://slcago.org 
hxxp://frederickal lergy.com 

We'll, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, developments, take, place. 
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Amaia918371 On 22/02/2010 

hey yoourmama, encontre este video tuyo aca 

http^/bitly/cBTsWo 

eres tu no es verdad? 


Historical OSINT - FTLog Worm Spreading Across 
Fotolog (2016-12-24 12:49) In, a, cybercrime, ecosystem, 
dominated, by, fraudulent, propositions, cybercriminals, 
continue, actively, populating, their, botnet's, infected, 
population, further, spreading, malicious, software, while, 
compromising, the, confidentiality, integrity, and, 
availability, of, the, affected, hosts, to, a, multu-tude, of, 
malicious, software, while, earning, fraudulent, revenue, in, 
the, process, of, monetizing, access, to, the, malware- 
infected, hosts, further, spreading, malicious, software, while, 
monetizing, access, to, malware-infected, hosts, largely, 
relying, on, a, set, of, tactics, techniques, and, procedures, 
successfully, monetizing, access, to, the, malware-infected, 
hosts, largely, relying, on, the, utilization, of, affiliate-based, 
type, of, monetizing, scheme. 

We've, recently, intercepted, a currently, circulating, 
malicious, spam, campaign, targeting, the, popular, social, 
network, Web, site, Fotolog, successfully, enticing, socially, 
engineered, users, into, interacting, with, malicious, links, 
while, monetizing, access, to, the, malware-infected, hosts, 
largely, relying, on, the, utilization, of, an, affiliate-based, 
type, of, monetizing, scheme. 



In, this, post, we'll, profile, the, campaign, provide, 
actionable, intelligence, on, the, infrastructure, behind, it, 
and, discuss, in-depth, the, tactics, techniques, and, 
procedures, of, the, cybercriminals, behind, it. 

Sample, URL, redirection, chain: 

hxxp://bit.ly/cBTsWo 

- hxxp://zwap.to/001mk 

- hxxp://www.cepsaltda.cl/uc/red.php?u = l - 216.155.72.44 

- hxxp://supatds.cn/go.php?sid = l - 92.241.164.1 

- hxxp://www.cepsaltda.cl/uc/rcodec.php 

- hxxp://cepsaltda.cl/uc/codec/divxcodec.exe 

Sample, detection, rate, for, a, sample, malicious, 
executable: 

MD5:C6dbc58e0db3c597c4ab562ad9710a38 

We'll, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, developments, take, place. 
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Historical OSINT - Google Docs Hosted Rogue Chrome 
Extension Serving Campaign Spotted in the Wild 
(2016-12-24 19:12) 

In, a, cybercrime, ecosystem, dominated, by, malicious, 
software, releases, cybercriminals, continue, actively, 
populating, their, botnet's, infected, population, further, 
spreading, malicious, software, while, earning, fraudulent, 
revenue, in, the, process, of, obtaining, access, to, malware- 



infected, hosts, further, compromising, the, confidentiality, 
integrity, and, availability, of, the, affected, hosts, 
successfully, earning, fraudulent, revenue, in, the, process, 
of, monetizing, access, to, malware-infected, hosts, largely, 
relying, on, the, utilization, of, affiliate-based, type, of, 
monetization, scheme. 

We've, recently, intercepted, a, currently, circulating, 
malicious, spam, campaign, affecting, Google Docs, while, 
successfully, enticing, socially, engineered, users, into, 
clicking, on, bogus, links, potentially, exposing, the, 
confidentiality, integrity, and, availability, of, the, affected, 
hosts, successfully, exposing, socially, engineered, users, to, 
a, rogue. Chrome Extension. 

In, this, post, we'll, profile, the, campaign, provide, 
actionable, intelligence, on, the, infrastructure, behind, it, 
discuss, in-depth, the, tactics, techniques, and, procedures, 
of, the, cybercriminals, behind, it, and, provide, actionable, 
intelligence, on, the, infrastructure, behind, it. 

Sample, URL, redirection, chain: 

https://1364757661090.docs.google.eom/presentation/d/lw 

5eh2rh6i0pbuVjb4 

_MzBNPEovRw3f6qiho7AshTcHI/htmlpresent?vi- 
deoid = 1364757661199 -> 
http://www.worldvideos.us/chrome.php -> 
https://chrome.google.com/webstore/cletail/high- 
solution/jokhejlfefegeolonbckg gpfggipmmim 

Related, malicious, domain, reconnaissance: 

hxxp://worldvideos.us - 89.19.10.194 


nsl.facebookhizmetlerim.com 



ns2.facebookhizmetlerim.com 

Responding to 89.19.10.194 are also the following 
fraudulent domains part of the campaign's 
infrastructure: 

hxxp://e-sosyai.biz 

hxxp://facebookh izmetierim.com 

hxxp://facebookmeclya.biz 

hxxp://facebooook.biz 

hxxp://fbmeclyah izmetieri.com 

hxxp://sansurmeclya.com 

hxxp://sosyai paket.com 

hxxpV/woridmedya.net 

hxxp://youtubem.biz 

Related, malicious, domains, known, to, have, 
responded, to, the, same, malicious, C &C, server, IPs 
(208.73.211.70): 

hxxp://396p4rassd2.youiovesosopine.net 
hxxp://5ql4.zapd.co 
hxxp://a irmats.com 
hxxp://a mciksikis.com 

hxxp://a naranjadaverzochte.associate-physicians.org 
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hxxp://autorepai rmanual.org 
hxxp://blackoutbl inds.com 
hxxp://blog .jmarkafghans.com 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, C &C, server, IPs 
(208.73.211.70): MD5: 
584a779ae8cdeal3611ff45ebab517ae 

MD5: cea89679058fe5a5288cfaccla64e431 

MD5: 62eee7a0bed6e958e72c0edf9dal7196 

MD5: 160793c37a5aa29ac4c88ba88dld7cc2 

MD5: 46079bbcfcd792dfcdle906ela97c3a6 

Once, executed, a, sample, malware (MD5: 
584a779ae8cdeal3611ff45ebab517ae), phones, back, 
to, the, following, C &C, server, IPs: 

hxxp://zhutizhijia.com - 208.73.211.70 

Once, executed, a, sample, malware (MD5: 
cea89679058fe5a5288cfaccla64e431), phones, back, 
to, the, following, C &C, server, IPs: 

hxxp://aieov.com - 208.73.211.70 

Related, malicious, domains, known, to, have, 
responded, to, the, same, malicious, C &C, server, IPs 
(141.8.224.239): 

hxxp://happysocks.7l ive7.org 

hxxp://h iepdam.org 



hxxp://hyper-path.com 
hxxp://i nterfacelife.com 
hxxp://iowa.finclanycycle.com 
hxxp://massachusetts.fi ndany boat.com 
hxxp://cl iptnyc.com 

Related, maliciuos, MD5s, known, to, have, phoned, 
back, to, the, same, C &C, server, IPs 
(141.8.224.239): MD5: 
cicif27e034e38ci7ci35b71b7cic5668ffce 

MD5: 6ba6451a9cl85cilci07323586736e770e 

MD5: 854ea0cia9b4aci72aba6430ffa6ccl532 

MD5: Ci5585af92c512bec3009bl568c8ci2f7ci 

MD5: bf78b0fcfc8fla380225ceca294c47ci8 

Once, executed, a, sample, malware 
(MD5:ddf27e034e38d7d35b71b7dc5668ffce), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxpV/srv.desk-top-app.info - 141.8.224.239 

Once, executed, a, sample, malware 
(MD5:6ba6451a9cl85dld07323586736e770e), 
phones, back, to, the, following, malicious, C &C, 
server, IPs: 

hxxp://premiumstorage.info - 141.8.224.239 

Once, executed, a, sample, malware (MD5: 
d5585af92c512bec3009bl568c8d2f7d), phones, back. 



to, the, following, C &C, server, IPs: 

hxxp://riddenstorm.net - 208.100.26.234 
hxxp://lordofthepings.ru - 173.254.236.159 
hxxp://yardnews.net - 104.154.95.49 
hxxp://wentstate.net - 141.8.224.93 
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hxxp://musicnews.net - 176.74.176.187 
hxxp://spendstate.net 

Related, malicious, domains, known, to, have, 
responded, to, the, same, malicious, C &C, server, IPs 
(89.19.10.194): hxxp://liderbayim.com 

hxxp://blacksport.org 

hxxp://l iderbayim.com 

hxxp://2sosyal-panel im.com 

hxxp://sosyal-panel im.com 

hxxp://darknessbayim.com 

hxxp://hebobayi.com 

We'll, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, developments, take, place. 
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Historical OSINT - Rogue MyWebFace Application 
Serving Adware Spotted in the Wild (2016-12-25 
07:20) In, a, cybercrime, ecosystem, dominated, by, 
malicious, software, releases, cybercriminals, continue, 
actively, populating, their, botnet's, infected, population, 
further, spreading, malicious, software, potentially, exposing, 
the, confidentiality, integrity, and, availability, of, the, 
affected, hosts, further, spreading, malicious, software, while, 
monetizing, access, to, malware-infected, hosts, largely, 
relying, on, the, utilization, of, affiliate-based, type, of, 
monetizing, scheme. 

We've, recently, intercepted, a, currently, circulating, 
malicious, spam, campaign, enticing, users, into, executing, 
a, malicious, software, largely, relying, on, basic, visual, 
social, engineering, enticing, users, into, executing, a, rogue. 











application, potentially, exposing, the, confidentiality, 
integrity, and, availability, of, the, affected, host. 

In, this, post, we'll, profile, the, campaign, provide, 
actionable, intelligence, on, the, infrastructure, behind, it, 
and, discuss, in-depth, the, tactics, techniques, and, 
procedures, of, the, cybercriminals, behind, it. 

Related, malicious, domain, reconnaissance: 

hxxp://mywebsearch.com - 74.113.233.48; 74.113.237.48; 
66.235.119.48 

hxxp://mywebface.mywebsearch.com - 74.113.233.64; 
74.113.233.180 

Sample, detection, rate, for, a, malicious, executable: 

MD5: b32acfece8089e52fa2288cb421fa9de 
87 

Related, malicious, domains, known, to, have, 
responded, to, the, same, malicious, C &C, server, IPs 
(74.113.233.48; 74.113.237.48; 66.235.119.48): 

hxxp://my info.mywebsearch.com 

hxxp://dl. my websearch.com 

hxxp://tbed its. my websearch.com 

hxxp://celebsauce.dl.mywebsearch.com 

hxxp://bfc. my websearch.com 

hxxp://bar. my websearch.com 



hxxp://i nt.search.mywebsearch.com 

hxxp://i nboxace.cll.mywebsearch.com 

hxxp://i nternetspeecltracker.cll.mywebsearch.com 

hxxp://my webface.cll.mywebsearch.com 

hxxp://easypclfcombi ne.cll.mywebsearch.com 

hxxp ://on I inemapfinder.dl. my websearch.com 

hxxp://el iteunzip.dl.mywebsearch.com 

hxxp ://mytransitgu ide.di.mywebsearch.com 

hxxp ://packagetracer.di. my websearch.com 

hxxp ://my way. my websearch.com 

hxxp ://hei pi nt.mywebsearch.com 

hxxp ://zwi nky.di.mywebsearch.com 

hxxp ://weatherbii nk.di.mywebsearch.com 

hxxp ://videoscavenger.di. my websearch.com 

hxxp ://videodown ioadconverter.di.mywebsearch.com 

hxxp ://transi ationbuddy.di.mywebsearch.com 

hxxp ://totai recipesearch.di.mywebsearch.com 

hxxp ://teievisionfanatic.di.mywebsearch.com 

hxxp ://retrogamer.di. my websearch.com 

hxxp ://myscrapnook.di.mywebsearch.com 



hxxp://myfu ncards.dl.mywebsearch.com 
hxxp://gami ngwonderland.dl.mywebsearch.com 
hxxp://d ictionaryboss.dl.mywebsearch.com 
hxxp://astrology.dl.mywebsearch.com 
hxxp://utmtrk2. my websearch.com 
hxxp://utm2. my websearch.com 
hxxp://utm.trk.mywebsearch.com 
hxxp://utm. my websearch.com 
hxxp://ak.ssl.toolbar.mywebsearch.com 
hxxp://wwwl2 2. my websearch.com 
hxxp://cou ponalert.dl.mywebsearch.com 
hxxp://help. my websearch.com 
hxxp://srchsugg. my websearch.com 
hxxp://utm.gr.mywebsearch.com 
hxxp://utmtrk.gr.mywebsearch.com 
hxxp://dp. my websearch.com 
hxxp://down load, my websearch.com 
hxxp://www64. my websearch.com 
hxxp://fi lmfanatic.mywebsearch.com 
hxxp://my webface.mywebsearch.com 



hxxp://fro rndoctopdf.dl.mywebsearch.com 
88 

hxxp://wwwl73. my websearch.com 
hxxp://wwwl53. my websearch.com 
hxxp://wwwl70. my websearch.com 
hxxp://wwwl76. my websearch.com 
hxxp://wwwl55. my websearch.com 
hxxp://wwwl86. my websearch.com 
hxxp://wwwl56a. my websearch.com 
hxxp://wwwl87. my websearch.com 
hxxp://wwwl98. my websearch.com 
hxxp://wwwl54. my websearch.com 
hxxp://cfg. my websearch.com 
hxxp ://mapsgalaxy.d I. my websearch.com 
hxxp://ed its. my websearch.com 
hxxp ://www. my websearch.com 
hxxp ://enable. my websearch.com 
hxxp ://l ive.mywebsearch.com 
hxxp ://config. my websearch.com 
hxxp ://a nx.mywebsearch.com 



hxxp://bstat. my websearch.com 
hxxp://u pclates.mywebsearch.com 
hxxp://home. my websearch.com 
hxxp://sea rch.mywebsearch.com 
hxxp://stats. my websearch.com 
hxxp://a kcl.search.mywebsearch.com 
hxxp://a k2.home.mywebsearch.com 
hxxp://ak.search, mywebsearch.com 
hxxp://ak.tool bar. my websearch.com 
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Related, malicious, MD5s, known, to, have, 
participated, in, the, campaign: MD5: 
83cdb402fcd68947f7519eaad515fa5a 

MD5: 6b31cc25e68d5d008e319c4alc8c4098 

MD5: f2392dl8a266f554743b495b4e71b2be 

MD5:9bcaeb5b4bdd6b9e22852a98ca630914 

MD5: 4fd260el7ca40a31a7baace9aflb7db9 

Once, executed, a, sample, malware, (MD5: 
83cdb402fcd68947f7519eaad515fa5a), phones, back, 
to, the, following, C &C, server, IPs: 

hxxp ://l 78.150.139.157/search, htm 









hxxp://sev2012.com/page_click.php - 141.8.224.239; 
54.72.9.51; 91.220.131.33; 91.236.116.20 

hxxp ://62.12 2.107.119/i nstall.htm 

Known, to, have, responded, to, the, same, 
malicious, C &C, server, IPs (178.150.139.157), are, 
also, the, following, malicious, domains: 

hxxp://cejzesu.com 

hxxp ://hqy ibul.wuwykym.net 

Related, malicious, MD5s, known, to, have, 
responded, to, the, same, malicious, C &C, server, 

IPs: MD5: C92a9961e6096eb7af3a34e9e48114fl 

MD5: 25789eec9e0d4b5cdfl84bf41460808e 

MD5: Ia72e482e6ec352ae4c9206b92776f01 
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MD5: e22a0fd64e5b6193be655cc29edl9755 

MD5: fe8a027fd45ec9621b34a20bc907fb2c 

Once, executed, a, sample, malware (MD5: 
C92a9961e6096eb7af3a34e9e48114fl), phones, 
back, to, the, following, C &C, server, IPs: 

http://178.150.244.54/mod2/mentalc.exe 

http://178.150.139.157/modl/mentalc.exe 

Once, executed, a, sample, malware (MD5: 
25789eec9e0d4b5cdfl84bf41460808e), phones, back, 
to, the, following, C &C, server, IPs: 



http://95.180.66.40/mod2/b0ber01.exe 

http://91.245.79.46/modl/b0ber01.exe 

http://178.150.139.157/modl/b0ber01.exe 

Once, executed, a, sample, malware (MD5: 
Ia72e482e6ec352ae4c9206b92776f01), phones, 
back, to, the, following, C &C, server, IPs: 

http://77.123.73.34/keybex4.exe 

http://178.150.139.157/keybex4.exe 

Once, executed, a, sample, malware (MD5: 
e22a0fd64e5b6193be655cc29edl9755), phones, 
back, to, the, following, C &C, server, IPs: 

http://176.194.18.198/mod2/ozersid.exe 

http://176.110.28.238/modl/ozersid.exe 

http://46.73.67.61/mod2/ozersid.exe 

http://178.150.209.116/mod2/ozersid.exe 

http://178.150.139.157/mod2/ozersid.exe 

http://193.32.14.186/modl/ozersid.exe 

http://46.211.9.37/modl/ozersid.exe 

Once, executed, a, sample, malware (MD5: 
fe8a027fd45ec9621b34a20bc907fb2c), phones, back, 
to, the, following, C &C, server, IPs: 

http://178.150.139.157/welcome.htm 

http://77.122.28.206/default.htm 



http://77.122.28.206/online.htm 

http://mydear.name/page _umax.php 

Once, executed, a, sample, malware, (MD5: 
6b31cc25e68d5d008e319c4alc8c4098), phones, 
back, to, the, following, C &C, server, IPs: 

hxxp://cytpaxiz.us/rasta01.exe 

hxxp://60.36.47.71/file.htm 

hxxp://219.204.4.3/search, htm 

Once, executed, a, sample, malware, (MD5: 
f2392dl8a266f554743b495b4e71b2be), phones, 
back, to, the, following, C &C, server, IPs: 

hxxp://46.121.221.173/start.htm 

hxxp://burhyyal.epfusgy.com/calc.exe 

hxxp://l 78.150.138.2/install, htm 

Once, executed, a, sample, malware, (MD5: 
9bcaeb5b4bdd6b9e22852a98ca630914), phones, 
back, to, the, following, C &C, server, IPs: 
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hxxp://l 59.224.191.47/install, htm 

hxxp://109.87.184.7/setup, htm 

Once, executed, a, sample, malware, (MD5: 
4fd260el7ca40a31a7baace9aflb7db9), phones, back, 
to, the, following, C &C, server, IPs: 



hxxp ://l 78.158.2 37.37/welcome, htm 
hxxp://l 78.165.13.17/home, htm 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(74.113.233.48): 

MD5: a3470a214ec34f7a0b9330e44af80714 

MD5: 31593f94936e63152d35ca682fb9ef0b 

MD5: eb003b7665b34f6ed3a7944e4254ad2d 

MD5:edlc465beca9596a9031580dl093cbl3 

MD5: cace61ddd8f8e30cflf52f9ad6c66578 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://home.mywebsearch.com - 74.113.233.48 

hxxp://akd.search.mywebsearch.com - 5.178.43.17 

hxxp://ak.imgfarm.com - 90.84.60.81 

hxxp://anx.mywebsearch.com - 74.113.233.187 

Related, malicious, MD5s, known, to, have, 
responded, to, the, same, malicious, C &C, server, 
IPs: MD5: Ilddcf7bd806c9ef24cc84a440629e68 

MD5:8cle63b34c678b48c63ba369239d5718 

MD5: 10b4c54646567dcee605f5c36bfa8fl7 

MD5: 70dbce98fld62c03317797aldd3dal51 


MD5: ee00f47a51e91alf70a5c7a0086b7220 



Once, executed, a, sample, malware (MD5: 
Ilddcf7bd806c9ef24cc84a440629e68), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

http://78.62.197.14/online.htm 

http://89.46.92.232/welcome.htm 

http://89.46.92.232/login.htm 

Once, executed, a, sample, malware (MD5: 
8cle63b34c678b48c63ba369239d5718), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

http://109.251.217.207/home.htm 

http://109.251.217.207/iogin.htm 

Once, executed, a, sample, malware, (MD5: 
10b4c54646567dcee605f5c36bfa8fl7), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

http://91.221.219.12/setup.htm 

Once, executed, a, sample, malware, (MD5: 
70dbce98fld62c03317797aldd3dal51), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

http://89.229.4.22/i nstaii.htm 

http://89.229.4.22/defauit.htm 

Once, executed, a, sample, malware (MD5: 
ee00f47a51e91alf70a5c7a0086b7220), phones, 
back, to, the, 92 


following, malicious, C &C, server, IPs: 



http://89.229.4.22/i nstall.htm 
http://89.229.4.22/default.htm 

We'll, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, developments, take, place. 
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Historical OSINT - Koobface Gang Utilizes, Google 
Groups, Serves, Scareware and Malicious Software 
(2016-12-25 19:58) 

In, a, cybercrime, ecosystem, dominated, by, malicious, 
software, releases, cybercriminals, continue, actively, 
populating, their, botnet's, infected, populating, successfully, 
affecting, hundreds, of, thousands, of, users, globally, 
potentially, exposing, the, confidentiality, integrity, and, 
availability, of, the, affected, hosts, to, a, multi-tude, of, 
malicious, software, further, spreading, malicious, software, 
further, earning, fraudulent, revenue, in, the, process, of, 
monetizing, access, to, malware-infected, hosts, largely, 
relying, on, the, utilization, of, an, affiliate-network, based, 
type, of, monetization, scheme. 

We've, recently, intercepted, a, currently, circulating, 
malicious, spam, campaign, affecting, Google Groups, 
potentially, exposing, users, to, a, multi-tude, of, malicious, 
software, including, fake, security, software, also, known, as, 
scareware, further, enticing, users, into, interacting, with, 
the, bogus, links, potentially, exposing, their, devices, to, a, 
multi-tude, of, malicious, software. 

In, this, post, we'll, profile, the, campaign, provide, 
actionable, intelligence, on, the, infrastructure, behind, it, 
and, discuss, in-depth, the, tactics, techniques, and, 
procedures, of, the, cybercriminals, behind, it, and, establish. 



a, direct, connection, between, the, campaign, and, the, 
Koobface, gang. 

Related, malicious, rogue, content, URLs, known, to, 
have, participated, in, the, campaign: 

- anisimivachevl? -1125 messages 

- ilariongrishelev24 - 1099 messages 

- yuvenaliyarzhannikovlS -1108 messages 

- bumiemetheny52 - 1035 messages 

- mengrug - 1090 messages 

- silabobrov27 -1116 messages 

Related, malicious, URIs, known, to, have, 
participated, in, the, campaign: hxxp://wut.im/343535 

hxxp://tpal.us/wedding2 

hxxp://shrtb.us/New _year_video 

hxxp://sn ipurl.com/tx2r6 

hxxp://www. tcp3.com/helga-4315 

hxxp://budurl.com/egph 

hxx p ://fl i pto. CO m/j 0 kes/ 

hxxp://rejoicetv.info/newyear 

hxxp://fauz.me/?livetv 

hxxp://go2.vg/funnykids 



hxxp://usav.us/anecdotes 
hxxp://va ime.org/joke 
hxxp://theflooracle.com/mistakes 
hxxp://dashu rl.com/video-jokes 
hxxp://www.shortme.info/smiieykids/ 
hxxp://startu ri.com/ciip32112 
hxxp://starturi.com/rebeca 
hxxp://startu ri.com/video22 31 
hxxp://startu ri.com/funci ip 
hxxp://startu ri.com/sexchat 
hxxp://sn ipuri.com/tx2r6 
hxxp ://www.41z.com/an imais 
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hxxp ://www. rehttp.com/7smiieykids 
hxxp ://startu ri.com/adamaura 
hxxp ://myti nyuris.com/wfj 
hxxp://buduri.com/egph 

Sample, detection, rate, for, a, malicious, executable: 

MD5: Ie0d06095a32645c3f57flb4dcbcfe5c 

Sample, malicious, URL, involved, in, the, campaign: 



hxxp://newsekuritylist.com/index.php7affid = 92600 - 
213.163.89.56 - Bobby.J.Hyatt(g)gmail.com Parked there 
are also: 

hxxp://networkstabilityinc .com - Email: 

juliacanderson(g)pookmail.com; 
marcusmhuffaker(g)mai I inator.com; 

justinpnelson(g)dodg it.com 

hxxp://indiansoftwareworld .com - Email: 
thelmamhandley(g)trashy mail.com; 
leanngscofield(g)gmail.com; ernesty- 
gresham(g)trashy mail.com 

hxxp://antyvirusdevice 

.com 


Email: 

latonyawmiller(g)pookmail.com; 

royawiley(g)pookmail.com; 

gracegoshea(g)pookmail.com; latonyawmiller(g)pookmail.com 

hxxp://digitalprotectionservice .com - Email: 

clarencepfetter(g)trashymail.com; 

jamesdrobinson(g)pookmail.com; 

jamesdrobinson(g)pookmail.com; clarencepfetter(g)trashymail 
.com 


hxxp://bestantyvirusservice 



.com 


Email: 

kathrynrsmith(g)g mail.com; 
richarclbhughey(g)g mail.com; 

joshuamwest(g)trashymail.com; kathrynrsmith(g)gmail.com 

hxxp://antivirussoftrock .com - Email: 
michaelaturner(g)trashy mail.com; 
gracemparker(g)trashymail.com; cliffordsfer- 
nanclez(g)pookmail.com; michaelaturner(g)trashymail.com 

hxxp://antywiramericasell .com - Email: 

Sha n non.J.Ferguson(g)g mail.com 

hxxp://antycletectivewaemergencyroom .com - Email: 

brettclpetro(g)gmail.com; valeriejweaver(g)cloclgit.com; 

wi 11 iekharris(g)mai I inator.com; brettclpetro(g)g mail.com 

hxxp://freeinternetvacation 

.com 

Email: 

ed ward myoung(g)trashy mail.com; 
aileenasaylor(g)g mail.com; 



williamjoverby(g)trashymail.com; 
ed ward myoung(g)trashy mail.com 

hxxp://aolbillinghq .com - Email: 

haroldamccarthy(g)trashy mail.com; 
teodoromkeller(g)trashymail.com; joan- 

swhite(g)dodgit.com; haroldamccarthy(g)trashymail.com 

hxxp://scanserviceprovider .com - Email: 
rogerdmurphy(g)gmail.com; 
charlescvalentino(g)maiIinator.com; eliarmc- 
donald(g)trashymail.com; rogerdmurphy(g)gmail.com 

hxxp://securitytoolsquotes .com - Email: 
thurmanepidgeon(g)dodgit.com; jessicapgrady(g)dodgit.com; 
jamesmcum-mings(g)trashy mail.com; 
thurmanepidgeon(g)dodg it.com 

hxxp://electionprogress .com - Email: 

clarenceafloyd(g)pookmail.com; junerwurth(g)pookmail.com; 
edjbax- 

ter(g)gmail.com; clarenceafloyd(g)pookmail.com 

hxxp://myantywiruslist .com - Email: 

Nathan.S.Dennis(g)g mail.com 

hxxp://antyspywarelistnow .com - Email: 
James.M.Miller(g)gmail.com 

hxxp://securitylabtoday .com - Email: 

Marc. N.Torres(g)g mail.com 


hxxp://youmecessary 



.com 


Email: 

debrahbettis(g)g mail.com; 
myracbryant(g)cloclgit.com; 

marycwilliams(g)cloclgit.com; clebrahbettis(g)gmail.com 

hxxp://securityutilitysite .net - Email: 
michellemwelch(g)mai I inator.com; 
charlesclfrazier(g)trashymail.com; ros- 
aliejhumphrey(g)pookmail.com; 
michellemwelch(g)mai I inator.com 

hxxp://securitytoolsshop 

.net 

Email: 

sarajgunter(g)g mail.com; 
kerstinrbray(g)g mail.com; 
keithrdeje- 

sus(g)maiIinator.com; sarajgunter(g)gmail.com 
hxxp://securitytooledit 


.net 



Email: 


byronlross(g)pookmail.com; 
jamesslewis(g)mai I inator.com; 
leigh- 

schancey(g)trashymail.com; byronlross(g)pookmail.com 

hxxp://portsecurityutility .net - Email: 
marquettacpettit(g)trashy mail.com; 
melinclakbolin(g)pookmail.com; rhondae- 
hipp(g)maiIinator.com; marquettacpettit(g)trashymail.com 
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Sample, detection, rate, for, a, malicious, executable: 

MD5: 4a3e8b6b7f42df0f26e22faafaa0327f 

MD5: 64alllacdc77762f261b9f4202e98d29 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://newseku ritylist.com/in.php7affid = 92600 

hxxp://newseku ritylist.com/in.php7affid = 92600 

Sample, URL, redirection, chain: 

hxxp://rejoicetv.info/newyear 

- hxxp://91.207.4.19/tds/go.php7sid = 3 

- hxxp://liveeditionpc.net7uid = 297 &pid = 3 

&ttl = 11845621a62 - 95.169.187.216 - korn989.net; 
liveeditionpc.net; createpc-pcscan-korn.net 



- hxxp://wwwl.hotcleanofyour-pc.net/p= = = - 
98.142.243.174 - live-guard-forpc.net is also parked 
there: Sample, detection, rate, for, a, malicious, 
executable: 

MD5:4912961c36306dl56e4e2b335c51151b 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://u pdate2.pcliveguard.com/index.php7control ler= hash 

- 124.217.251.99 

hxxp://u pdate2.pcliveguard.com/index.php? 
control ler= microinstaller 

&abbr=PCLG 

&setupType=xp 

&ttl = 210475833d3 &pid = 

hxxp://u pdate2.pcliveguard.com/index.php? 
control ler= microinstaller 

&abbr=PCLG 

&setupType=xp 

&ttl = 210475833d3 &pid = 

hxxp://secu rityearth.cn/Reports/MicroinstallServiceReport.ph 
p - 210.56.53.125 

Sample, URL, redirection, chain: 

hxxp://garl andvenit.150m.com 

- hxxp://online-style2.com 



- hxxp://scanner-malwarel5.com/scn3/?engine= 

- hxxp://scanner-malwarel5.com/download.php?id = 328s3 

Related, malicious, domains, known, to, have, 
participated, in, the, campaign: 

hxxp://ecl ipserisa.150m.com 

hxxp://adamau ra.150m.com 
hxxp://h ugodinah.150m.com 
hxxp://roycesy ivia.150m.com 
hxxp://i indaagora.150m.com 
hxxp://sharoiy npam.150m.com 
hxxp://ietarebeca. 150m.com 
hxxp://ietarebeca. 150m.com 
Sample, URL, redirection, chain: 
hxxp://egoideng iove.com/images/bin/movie/ 

- hxxp://egoidengiove.com/images/bin/movie/Fiash _Update 
_1260873156.exe Once, executed, a, sample, malware, 
phones, back, to, the, following, malicious, C &C, 
server, IPs: hxxp://2-weather.com/?pid = 328s03 

&sid = 3593b2 &d = 3 &name=Loading %20video - 
66.197.160.104 -maii(g)tatrum-verde.com 
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hxxp://scanner-spya8.com/scn3/?engine= - 
info(g)gainweight.com - 



Sample, detection, rate, for, a, malicious, executable: 

MD5: bfaba92c3c0eaec61679f03ff0eb0911 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://91.212.2 26.185/down load/win logo, bmp 
(windowsaltserver.com) 

Related, malicious, domains, known, to, have, 
participated, in, the, campaign: hxxp://2-coat.com - 
193.104.22.202 - Email: mail(g)tatrum-verde.com 

hxxp://2-weather.com - 193.104.22.202 - - Email: 
maii(g)tatrum-verde.com - currently embedded on Koobface- 
infected hosts pushing scareware 

Related, malicious, domains, known, to, have, 
participated, in, the, campaign: hxxp://online-style2.com 
- 66.197.160.104 - Email: mail(g)tatrum-verde.com 
hxxp://scanner-malwarel5.com - Email: i nfo(g) natural- 
heaith.org 

Related, malicious, IPs, known, to, have, 
participated, in, the, campaign: hxxp://68.168.212.142 

hxxp://91.212.226.97 

hxxp://66.197.160.105 

Parked on 68.168.212.142: 

hxxp://antispywareguide20 .com - Email: 
contacts(g)vertigo.us 

hxxp://antispywareguide22 .com - Email: 
contacts(g)vertigo.us 



hxxp://antispywareguide23 .com - Email 
contacts(g)vertigo.us 

hxxp://antispywareguide25 .com - Email 
contacts(g)vertigo.us 

hxxp://antispywareguide27 .com - Email 
contacts(g)vertigo.us 

hxxp://antispywaretoolslO .com - Email: 

hxxp://antispywaretoolsll .com - Email: 

hxxp://antispywaretoolsl2 .com - Email: 

hxxp://antispywaretoolsl7 .com - Email: 

hxxp://antispywaretoolsl8 .com - Email: 

hxxp://best-scan-911 .com - Email: 
TheodoreWTurner(g)| ive.com 

hxxp://best-scan-921 .com - Email: 
TheodoreWTurner(g)| ive.com 

hxxp://best-scan-931 .com - Email: 
TheodoreWTurner(g)| ive.com 

hxxp://best-scan-951 .com - Email: 
TheodoreWTurner(g)| ive.com 

hxxp://best-scan-961 .com - Email: 
TheodoreWTurner(g)| ive.com 

hxxp://birthday-gifts2 .com - Email: 
TheodoreWTurner(g)| ive.com 


contacts(g)vertigo.us 

contacts(g)vertigo.us 

contacts(g)vertigo.us 

contacts(g)vertigo.us 

contacts(g)vertigo.us 




hxxp://christmasdecoration2 .com - Email: 
contact(g)trythreewish.us 

hxxp://computerscanmO .com - Email: 
JamesNTumer(g)yahoo.com 

hxxp://computerscanm2 .com - Email: 
JamesNTumer(g)yahoo.com 

hxxp://computerscanm4 .com - Email: 
JamesNTumer(g)yahoo.com 

hxxp://computerscanm6 .com - Email: 
JamesNTumer(g)yahoo.com 

hxxp://computerscanm8 .com - Email: 
JamesNTumer(g)yahoo.com 

hxxp://go-scan021 .com - Email: TheocloreWTumer(g)|ive.com 
hxxp://go-scan061 .com - Email: TheocloreWTumer(g)|ive.com 
hxxp://go-scan081 .com - Email: TheocloreWTumer(g)|ive.com 
hxxp://go-scan091 .com - Email: TheocloreWTumer(g)|ive.com 
hxxp://go-scanl21 .com - Email: TheocloreWTumer(g)|ive.com 
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hxxp://microscannerl .com - Email: info(g)enigmazero.com 
hxxp://micro-scannerl .com - Email: info(g)enigmazero.com 
hxxp://microscanner2 .com - Email: info(g)enigmazero.com 
hxxp://micro-scanner2 .com - Email: info(g)enigmazero.com 
hxxp://microscanner3 .com - Email: info(g)enigmazero.com 



hxxp://micro-scanner3 .com - Email: info(g)enigmazero.com 
hxxp://microscanner4 .com - Email: info(g)enigmazero.com 
hxxp://micro-scanner4 .com - Email: info(g)enigmazero.com 
hxxp://microscanner5 .com - Email: info(g)enigmazero.com 
hxxp://micro-scanner5 .com - Email: info(g)enigmazero.com 
hxxp://micro-scanneral .com - Email: info(g)enigmazero.com 
hxxp://micro-scannerbl .com - Email: info(g)enigmazero.com 
hxxp://micro-scannercl .com - Email: info(g)enigmazero.com 
hxxp://micro-scannercll .com - Email: info(g)enigmazero.com 
hxxp://pc-antispyo3 .com 
hxxp://pc-antispyo5 .com 
hxxp://pc-antispyo6 .com 
hxxp://pc-antispyo9 .com 

hxxp://pc-securityv8 .com - Email: info(g)billBlog.com 

hxxp://protect-pcal .com 

hxxp://protect-pcrl .com 

hxxp://protect-pctl .com 

hxxp://protect-pcul .com 

hxxp://quick-antispy91 .com - Email: 
williams.trio(g)yahoo.com 



hxxp://quick-antispy92 .com - Email: 
williams.trio(g)yahoo.com 

hxxp://quick-antispy93 .com - Email: 
williams.trio(g)yahoo.com 

hxxp://quick-antispy95 .com - Email: 
williams.trio(g)yahoo.com 

hxxp://quick-antispy99 .com - Email: 
williams.trio(g)yahoo.com 

hxxp://quick-scanner2 .com - Email: williams.trio(g)yahoo.com 

hxxp://quick-scanner4 .com - Email: williams.trio(g)yahoo.com 

hxxp://quick-scanner6 .com - Email: williams.trio(g)yahoo.com 

hxxp://quick-scanner77 .com - Email: 
williams.trio(g)yahoo.com 

hxxp://quick-scanner78 .com - Email: 
williams.trio(g)yahoo.com 

hxxp://run-scanner023 .com - Email: 

TheocloreWTurner(g)| ive.com 

hxxp://run-scanner056 .com - Email: 

TheocloreWTurner(g)| ive.com 

hxxp://run-scanner067 .com - Email: 

TheocloreWTurner(g)| ive.com 

hxxp://safe-pc01 .com - Email: JamesNTumer(g)yahoo.com 
hxxp://safe-pc02 .com - Email: JamesNTumer(g)yahoo.com 
hxxp://safe-pc03 .com - Email: JamesNTumer(g)yahoo.com 



hxxp://safe-pc07 .com - Email: JamesNTumer(g)yahoo.com 

hxxp://safe-pc09 .com - Email: JamesNTumer(g)yahoo.com 

hxxp://safe-your-pc002 .com - Email: 
JamesNTumer(g)yahoo.com 

hxxp://safe-your-pc004.com - Email: 
JamesNTumer(g)yahoo.com 

hxxp://safe-your-pc009 .com - Email: 
JamesNTumer(g)yahoo.com 

hxxp://scan-ancl-secure01 .com 

hxxp://scan-ancl-secure04 .com 

hxxp://scan-ancl-secure06 .com 

hxxp://scan-ancl-secure07 .com 
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hxxp://scan-ancl-secure09 .com 
hxxp://scan-computerab .com 
hxxp://scan-computereO .com 

hxxp://scanner-malware01 .com - Email: I nfo(g) natural- 
heaith.org 

hxxp://scanner-malware02 .com - Email: I nfo(g) natural- 
heaith.org 

hxxp://scanner-malware04 .com - Email: info(g)natural- 
heaith.org 



hxxp://scanner-malware05 .com - Email: info(g)natural- 
heaith.org 

hxxp://scanner-malware06 .com - Email: info(g)natural- 
heaith.org 

hxxp://scanner-malwarell .com - Email: info(g)natural- 
heaith.org 

hxxp://scanner-malwarel2 .com - Email: info(g)natural- 
heaith.org 

hxxp://scanner-malwarel3 .com - Email: i nfo(g) natural- 
heaith.org 

hxxp://scanner-malwarel4 .com - Email: info(g)natural- 
heaith.org 

hxxp://scanner-malwarel5 .com - Email: I nfo(g) natural- 
heaith.org 

hxxp://securitysoftwarel .com 
hxxp://securitysoftware3 .com 
hxxp://securitysoftware5 .com 
hxxp://securitysoftwaree .com 
hxxp://securitysoftwaree7 .com 
hxxp://security-softwareol .com 
hxxp://security-softwareo5 .com 
hxxp://security-softwareo7 .com 

hxxp://unique-gifts2 .com - Email: contact(g)trythreewish.us 




hxxp://unusual-gifts2 .com - Email: contact(g)trythreewish.us 
hxxp://xmas-song .com - Email: contact(g)trythreewish.us 

Parked on 91.212.226.97; 66.197.160.105: 

hxxp://best-scan-911 .com - Email: 

TheocloreWTurner(g)| ive.com 

hxxp://best-scan-921 .com - Email: 

TheocloreWTurner(g)| ive.com 

hxxp://best-scan-931 .com - Email: 

TheocloreWTurner(g)| ive.com 

hxxp://best-scan-951 .com - Email: 

TheocloreWTurner(g)| ive.com 

hxxp://best-scan-961 .com - Email: 

TheocloreWTurner(g)| ive.com 

hxxp://go-scan021 .com - Email: TheocloreWTumer(g)|ive.com 
hxxp://go-scan061 .com - Email: TheocloreWTumer(g)|ive.com 
hxxp://go-scan081 .com - Email: TheocloreWTumer(g)|ive.com 
hxxp://go-scan091 .com - Email: TheocloreWTumer(g)|ive.com 
hxxp://go-scanl21 .com - Email: TheocloreWTumer(g)|ive.com 
hxxp://microscannerl .com - Email: info(g)enigmazero.com 
hxxp://micro-scannerl .com - Email: info(g)enigmazero.com 
hxxp://microscanner2 .com - Email: info(g)enigmazero.com 
hxxp://micro-scanner2 .com - Email: info(g)enigmazero.com 



hxxp://microscanner3 .com - Email: info(g)enigmazero.com 
hxxp://micro-scanner3 .com - Email: info(g)enigmazero.com 
hxxp://microscanner4 .com - Email: info(g)enigmazero.com 
hxxp://micro-scanner4 .com - Email: info(g)enigmazero.com 
hxxp://microscanner5 .com - Email: info(g)enigmazero.com 
hxxp://micro-scanner5 .com - Email: info(g)enigmazero.com 
hxxp://micro-scanneral .com - Email: info(g)enigmazero.com 
hxxp://micro-scannerbl .com - Email: info(g)enigmazero.com 
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hxxp://micro-scannercl .com - Email: info(g)enigmazero.com 
hxxp://micro-scannercll .com - Email: info(g)enigmazero.com 

hxxp://run-scanner023 .com - Email: 

TheocloreWTurner(g)| ive.com 

hxxp://run-scanner056 .com - Email: 

TheocloreWTurner(g)| ive.com 

hxxp://run-scanner067 .com - Email: 

TheocloreWTurner(g)| ive.com 

hxxp://scanner-malware01 .com - Email: I nfo(g) natural- 
heaith.org 

hxxp://scanner-malware02 .com - Email: info(g)natural- 
heaith.org 

hxxp://scanner-malware04 .com - Email: i nfo(g) natural- 
heaith.org 



hxxp://scanner-malware05 .com - Email: info(g)natural- 
heaith.org 

hxxp://scanner-malware06 .com - Email: info(g)natural- 
heaith.org 

hxxp://scanner-malwarell .com - Email: info(g)natural- 
heaith.org 

hxxp://scanner-malwarel2 .com - Email: info(g)natural- 
heaith.org 

hxxp://scanner-malwarel3 .com - Email: i nfo(g) natural- 
heaith.org 

hxxp://scanner-malwarel4 .com - Email: info(g)natural- 
heaith.org 

hxxp://scanner-malwarel5 .com - Email: I nfo(g) natural- 
heaith.org 

Parked on 66.197.160.104: 

hxxp://2activities.com - Email: mail(g)tatrum-vercle.com 
hxxp://2-scenes.com - Email: mail(g)tatrum-vercle.com 
hxxp://2-weather.com - Email: mail(g)tatrum-vercle.com 
hxxp://online-fun2 .com - Email: mail(g)tatrum-vercle.com 
hxxp://online-news2.com - Email: mail(g)tatrum-vercle.com 
hxxp://online-style2 .com - Email: mail(g)tatrum-vercle.com 
hxxp://online-tv2.com - Email: mail(g)tatrum-vercle.com 
hxxp://snow-ancl-fun2 .com - Email: mail(g)tatrum-vercle.com 




hxxp://winterart2 .com - Email: info(g)territoryplace.us 

hxxp://winterchristmas2 .com - Email: info(g)territoryplace.us 

hxxp://wintercrafts2 .com - Email: info(g)territoryplace.us 

hxxp://winterkicls2 .com - Email: info(g)territoryplace.us 

hxxp://winterphotos2 .com - Email: info(g)territoryplace.us 

hxxp://winterpicture2 .com - Email: info(g)territoryplace.us 

hxxp://winterscene2 .com - Email: info(g)territoryplace.us 

hxxp://winterwallpaper2 .com - Email: info(g)territoryplace.us 

What's particularly, interesting, about, this, particular, 
campaign, is, the, direct, connection, with, the, Koobface, 
gang, taking, into, consideration, the, fact, that, 
hxxp://redirector online-style2.com/?pid=312s03 
&sid=4dbl2f has, also, been, used, by, Koobface-infected 
hosts, and, most, importantly, the, fact, that, a, sampled, 
scareware, campaign from December 2009, were serving 
scareware parked on 193.104.22.200, where the Koobface 
scareware portfolio is parked, as, previously, profiled, and, 
analyzed. 

We'll, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, developments, take, place. 
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Historical OSINT - Hundreds of Malicious Web Sites 
Serve Client-Side Exploits, Lead to Rogue YouTube 
Video Players (2016-12-25 21:47) 

In, a, cybercrime, ecosystem, dominated, by, hundreds, of, 
malicious, software, releases, cybercriminals, continue, 
actively, populating, a, botnet's, infected, population, 
further, spreading, malicious, software, potentially, 
compromising, the, confidentiality, integrity, and, 
availability, of, the, affected, hosts, potentially, exposing, 
the, affected, user, to, a, multi-tude, of, malicious, software, 
further, earning, fraudulent, revenue, in, the, process, of, 
monetizing, the, access, to, the, malware-infected, hosts, 
largely, relying, on, the, use, of, affiliate-network, based, 
type, of, fraudulent, revenue, monetization, scheme. 

We've, recently, intercepted, a, currently, circulating, 
malicious, spam, campaign, enticing, users, into, clicking, on, 
bogus, and, rogue, links, potentially, exposing, the, 
confidentiality, integrity, and, availability, of, the, affected, 
hosts, ultimately, attempting, to, socially, engineer, users, 
into, interacting, with, rogue, YouTube, Video, Players, 
ultimately, dropping, fake, security, software, also, known, as, 
scareware, on, the, affected, hosts, with, the, cybercriminals, 
behind, the, campaign, actively, earning, fraudulent, 
revenue, largely, relying, on, the, utilization, of, an, affiliate- 
network, based, type, of, monetization, scheme. 












In, this, post, we'll, profile, the, campaign, provide, 
actionable, intelligence, on, the, infrastructure, behind, it, 
and, discuss, in-depth, the, tactics, techniques, and, 
procedures, of, the, cybercriminals, behind, it. 

Sample, URL, redirection, chain: 

hxxp://acquaintive.in/x.html - 208.87.35.103 

- hxxp://xxxvideo-hlyl.cz.cc/video7/?afid = 24 - 63.223.117.10 

- hxxp://binarymode.in/topic/j.php - 159.148.117.21 - Email: 
enq uepuedo.sen ior(g)g mail.com 

- hxxp://binarymode.in/topic/exe.php?x=jjar 

- hxxp://binarymode.in/topic/?showtopic=ecard &bid = 151 
&e=post &done=image Related, malicious, MD5s, 
known, to, have, responded, to, the, same, C &C, 
server, IPs (208.87.35.103): MD5: 
al2c055f201841f4640084a70b34c0c4 

MD5: b4d435fl5d094289839eac6228088baf 

MD5: 2782220da587427b981f07dc3e3e0d96 

MD5: 1151cd39495c295975b8c85bd4b385e5 

MD5: 2539d5d836f058afbbf03cb24e41970c 

Once, executed, a, sample, malware (MD5: 
al2c055f201841f4640084a70b34c0c4), phones, back, 
to, the, following, C &C, server, IPs: 

hxxp://926garage.com - 185.28.193.192 

hxxp://quistsolutions.eu - 188.165.239.53 



hxxp://rehabilitacion-de-drogas.org - 188.240.1.110 

hxxp://bcbrownmusic.com - 69.89.21.66 

hxxp://andziOI.5v.pl - 46.41.150.7 

hxxp://alsaei.com - 192.186.194.133 

Once, executed, a, sample, malware (MD5: 
2782220da587427b981f07dc3e3e0d96), phones, 
back, to, the, following, C &C, server, IPs: 

hxxp://lafyeri.com 

hxxp://kulppasur.com - 209.222.14.3 
hxxp://toalladepapel.com.ar - 184.168.57.1 
hxxp://www.ecole-saint-simon.net - 208.87.35.103 
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Once, executed, a, sample, malware (MD5: 
2539d5d836f058afbbf03cb24e41970c), phones, back, 
to, the, following, C &C, server, IPs: 

hxxp://realquickmedia.com (208.87.35.103) 

Related, malicious, domains, known, to, have, 
responded, to, the, same, malicious, C &C, server, IPs 
(109.74.195.149): 

hxxp://trustidsoftware.com 

hxxp://tc28q8cxl2a5ljwa60skl87w6.cdxlcdxlcdxl.in 

hxxp://gol ubu6ka.com 

hxxp://cdx2cdx2cdx2.in 



hxxp://red mewire.com 

hxxp://5zw3t6jq8fiv9jtdqg23.cdx2cdx2cdx2.in 

hxxp://es3iz6lb0pet3ix6la0p.cdx2cdx2cdx2.in 

hxxp://qsd79bd0j8f7c90e057a.cdxlcdxlcdxl.in 

hxxp://w8ncqpet2hx5kf9mbrla.cdxlcdxlcdxl.in 

hxxp://skygaran4ik.com 

hxxp://5xj7wk9amqcpse2ug4ve.cdxlcdxlcdxl.in 
hxxp://read relay.com 

hxxp://bk5sbm7xgo6vk0e6b3xc.cdxlcdxlcdxl.in 
hxxp://d51flqam8wil5wpxmtjq.cdx2cdx2cdx2.in 
hxxp://wxvtsr98642pomligfed.cdx2cdx2cdx2.in 
hxxp://zonkjhgebawzvsq09753.cdxlcdxlcdxl.in 
hxxp://n ightphantom.com 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(109.74.195.149): 

MD5: a6c06a59da36eelae96ffaff37dl2f28 
MD5: 2dlbb6ca54f4c093282ea30e2096af0f 
MD5: adf037ecbd4e7af573ddeb7794b61c40 
MD5: Ce7d4a493fc4b3c912703f084d0d61el 


MD5: C36941693eeef3fa54ca486044c6085a 



Once, executed, a, sample, malware 
(MD5:a6c06a59da36eelae96ffaff37dl2f28), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://replost.com - 109.74.195.149 

hxxp://zeplost.com - 109.74.195.149 

Once, executed, a, sample, malware 
(MD5:2dlbb6ca54f4c093282ea30e2096af0f), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://qweplost.com - 109.74.195.149 

Related, malicious, domains, known, to, have, 
responded, to, the, same, malicious, C &C, server, IPs 
(96.126.106.156): 

hxxp://checkwebspeed.net 

hxxp://gercourses.com 

hxxp://replost.com 

hxxp://boltofl exaria, in 

hxxp://ievartnetcom.net 

hxxp://boitofiex.in 

hxxp://borderspot.net 
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hxxp://diathbsp.in 

hxxp://ganzagroup.in 

hxxp://httpsstarss.in 



hxxp://missi ngsync.net 

hxxp://qqplot.com 

hxxp://evelice.in 

hxxp://gotheapples.com 

hxxp://su rfacechicago.net 

hxxp://zeplost.com 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs: MD5 

0183a687365cc3eb97bb5c2710952f95 

MD5: fle3030a83fa2fl4f271612a4cle914cb 

MD5: 97269450cle58ef5fb8cl449008e550bf0 

MD5: C83962659f6773b729aa222bcl5b03f2f 

MD5: e0aa08cl4cl98c3430204clbb6f4c980el 

Once, executed, a, sample, malware 
(MD5:0183a687365cc3eb97bb5c2710952f95), 
phones, back, to, the, following, malicious, C &C, 
server, IPs: 

hxxp://replost.com - 96.126.106.156 

Once, executed, a, sample, malware 
(MD5:fle3030a83fa2fl4f271612a4de914cb), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxpV/gercourses.com/borders.php 



Once, executed, a, sample, malware 
(MD5:97269450de58ef5fb8d449008e550bf0), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://checkwebspeed.net - 96.126.106.156 

Once, executed, a, sample, malware 
(MD5:c83962659f6773b729aa222bd5b03f2f), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://checkwebspeed.net - 96.126.106.156 

Once, executed, a, sample, malware 
(MD5:e0aa08d4d98c3430204clbb6f4c980el), 
phones, back, to, the, following, malicious, C &C, 
server, IPs: 

hxxp://replost.com - 96.126.106.156 

We'll, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, developments, take, place. 
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Historical OSINT - Massive Black Hat SEO Campaign, 
Spotted in the Wild, Serves Scareware (2016-12-25 
22:43) 

In, a, cybercrime, ecosystem, dominated, by, hundreds, of, 
malicious, software, releases, cybercriminals, continue, 
actively, populating, their, botnet's, infected, population, 
with, hundreds, of, newly, added, socially, engineered, users, 
potentially, exposing, the, confidentiality, integrity, and, 
availability, of, the, affected, hosts, to, a, multi-tude, of, 
malicious, software, further, spreading, malicious, software, 
potentially, exposing, the, confidentiality, integrity, and, 
availability, of, the, affected, hosts, to, a, multi-tude, of. 



malicious, software, further, earning, fraudulent, revenue, in, 
the, process, of, obtaining, access, to, a, malware-infected, 
hosts, largely, relying, on, the, utilization, of, an, affiliate- 
network, based, type, of, monetizing, scheme. 

We've, recently, intercepted, a, currently, circulating, 
malicious, spam, campaign, utilizing, blackhat, seo (search 
engine optmization), for, traffic, acquisition, tactics, 
techniques, and procedures, potentially, exposing, hundreds, 
of, thousands, of, socially, engineered, users, to, a, multi¬ 
tude, of, malicious, software, including, fake, security, 
software, also, known, as, scareware, with, the, 
cybercriminals, behind, the, campaign, successfully, earning, 
fraudulent, revenue, in, the, process, of, monetizing, the, 
hijacked, traffic, largely, relying, on, the, utilization, of, an, 
affiliate-network, type, of, monetization, scheme. 

In, this, post, we'll, profile, the, campaign, provide, 
actionable, intelligence, on, the, infrastructure, behind, it, 
and, discuss, in-depth, the, tactics, techniques, and, 
procedures, of, the, cybercriminals, behind, it. 

Related, malicious, domains, known, to, have, 
participated, in, the, campaign: hxxp://blank fax 
_forms.jevjahys.zik.dj -> hxxp://radioheadicon.cn - 
216.172.154.34; 205.164.24.44; 205.164.24.45 

-> 

Related, malicious, domains, known, to, have, 
participated, in, the, campaign: hxxp://aizvfnnd.cc - 
Email: janice(g)whiteplainsrealty.com 

hxxp://blnrriwbd.cc - Email: janice(g)whiteplainsrealty.com 

hxxp://crrhxzp.cc - Email: janice(g)whiteplainsrealty.com 



hxxp://ihmedkgi.cc - Email: janice(g)whiteplainsrealty.com 
hxxp://izdzhpdn.cc - Email: janice(g)whiteplainsrealty.com 
hxxp://kmflff.cc - Email: janice(g)whiteplainsrealty.com 
hxxp://lgixuql.cc - Email: janice(g)whiteplainsrealty.com 
hxxp://lsxkfoxfn.cc - Email: janice(g)whiteplainsrealty.com 
hxxp://mkzjuoz.cc - Email: janice(g)whiteplainsrealty.com 
hxxp://mobqmizg.cc - Email: janice(g)whiteplainsrealty.com 
hxxp://mqapagelq.cc - Email: janice(g)whiteplainsrealty.com 
hxxp://mrvgusfdu.cc - Email: janice(g)whiteplainsrealty.com 
hxxp://nurzcycxm.cc - Email: janice(g)whiteplainsrealty.com 
hxxp://orhhcunye.cc - Email: janice(g)whiteplainsrealty.com 
hxxp://pdbpczh.cc - Email: janice(g)whiteplainsrealty.com 
hxxp://pkuidxdy.cc - Email: janice(g)whiteplainsrealty.com 
hxxp://qicpfwrx.cc - Email: janice(g)whiteplainsrealty.com 
hxxp://ruhilmec.cc - Email: janice(g)whiteplainsrealty.com 
hxxp://sxkfoxfn.cc - Email: janice(g)whiteplainsrealty.com 
hxxp://tcygfdmc.cc - Email: janice(g)whiteplainsrealty.com 
hxxp://tlhaxfr.cc - Email: janice(g)whiteplainsrealty.com 
hxxp://vcjggcbgj.cc - Email: janice(g)whiteplainsrealty.com 
hxxp://xlnojaz.cc - Email: janice(g)whiteplainsrealty.com 



hxxp://zdqvzdj.cc - Email: janice(g)whiteplainsrealty.com 
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Sample, malicious, redirector, used, in, the, 
campaign: hxxp://bostofstenl.net 

Related, malicious, MD5s, known, to, have, 
responded, to, the, same, malicious, C &C, server, IPs 
(216.172.154.34): MD5: 
ad04fd31e9868b073222b3fd2aac93f7 

MD5: 103ecb766e0deb06ccbcea0a8046b4cb 

MD5: eb0fab963cd37660956a7ab0c66715c2 

MD5: 00da0096bd91e89e4059c428259a6cbb 

MD5: 9b7f0e0ebfl656227de9f8f97dfd9141 

Once, executed, a, sample, malicious, executable, 
(MD5:ad04fd31e9868b073222b3fd2aac93f7) phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://down.down988.cn - 65.19.157.228 

Once, executed, a, sample, malicious, executable, 
(MD5:00da0096bd91e89e4059c428259a6cbb) 
phones, back, to, the, following, malicious, C &C, 
server, IPs: 

hxxp://cutalot.cn - 205.164.24.43 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(205.164.24.44): 


hxxp://cycl ing20110829.usa.1204.net 



hxxp://pepsizone.cn 

hxxp://ysbr.cn 

hxxp://i nteractsession-697593.regions.com.usersetup.cn 

hxxp://aci.suoie.cn 

hxxpV/ycgezkpu.cn 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs: MD5 

Cf7a53e66e397c29ea203e025c5ci6465 

MD5: 089886483353f93a36cici69f0776beace 

MD5: 528ac8f94123aaa32058f0114b8elfci2 

MD5: 4e8405bb398509fl7242c0b9f614ci6e4 

MD5: a364ci4fe887e2e40bclec67aci6f9aa31 

Once, executed, a, sample, malware 
(MD5:cf7a53e66e397c29ea203e025c5d6465), 
phones, back, to, the, following, malicious, C &C, 
server, IPs: 

hxxp://biencierartists.org -141.101.125.180 
hxxp://xibuciific.cn - 50.117.122.92 
hxxp://freemon itoringservers.com 
hxxp://freemon itoringservers.com.ovh.net 
hxxpV/hardwareindexx.com 
hxxp://hard wareindexx.com.ovh.net 



Once, executed, a, sample, malware 
(MD5:089886483353f93a36dd69f0776beace), 
phones, back, to, the, following, malicious, C &C, 
server, IPs: 

hxxp://freeonlinedatingtips.net - 204.197.252.70 
hxxp://xibudific.cn - 216.172.154.38 
hxxp://freemon itoringservers.com 
hxxp://freemon itoringservers.com.ovh.net 
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hxxp://searchfeed book.com 

hxxp://sea rchfeedbook.com.ovh.net 

Once, executed, a, sample, malware 
(MD5:528ac8f94123aaa32058f0114b8elfd2), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://historykiiierpro.com - 192.254.233.158 

hxxp://motherboardstest.com - 195.22.26.252 

hxxp://doi byaudiodevice.com 

hxxp://doi byaudiodevice.com.ovh.net 

hxxp://xibudific.cn - 50.117.116.204 

Once, executed, a, sample, malware 
(MD5:4e8405bb398509fl7242c0b9f614d6e4), 
phones, back, to, the, following, malicious, C &C, 
server, IPs: 



hxxp://pcskynet.cn 

hxxp://gamepknet.cn 

hxxp://pcsky net.cn.ovh.net 

hxxp://gamepknet.cn.ovh.net 

hxxp://yesl6800.cn 

hxxp://yesl6800.cn.ovh.net 

Once, executed, a, sample, malware 
(MD5:a364d4fe887e2e40bclec67ad6f9aa31), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://136136.com - 61.129.70.87 

hxxp://xibuclific.cn - 50.117.122.92 

hxxp://hoth intspotonline.com 

hxxp://hoth intspotonline.com.ovh.net 

hxxp://harcl wareinclexx.com 

Related, malicious, domains, known, to, have, 
responded, to, the, same, malicious, C &C, server, IPs 
(205.164.24.45): 

hxxp://17mv.com 

hxxpV/criding.com 

hxxpV/criding.com 

hxxp://17mv.com 

hxxp://baudu.com 



hxxp://pwgo.cn 

hxxp://suqiwyk.cn 

hxxp://verringo.cn 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: MD5: 
9905ba7c00761a792ad8a361b4de71ea 

MD5: b83c68f7d09530181908d513eb30a002 

MD5: 78941c2c4b05f8af9a31a9f3d4c94b57 

MD5: 7alb6153a3f00c430b09flc7b9cf7a77 

MD5: 2776c972fa934fd080f5189be7c98a77 

Once, executed, a, sample, malware, phones, back, 
to, the, following, maliciuos, C &C, server, IPs: 

hxxp://down.down988.cn - 50.117.122.91 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 107 

hxxp://imagehut4.cn - 50.117.122.91 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://yingzi.org.cn - 50.117.116.205 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://qmmmm.com.cn - 50.117.122.94 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://down.down988.cn - 50.117.122.94 



We'll, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, developments, take, place. 
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Historical OSINT - Massive Black Hat SEO Campaign, 
Spotted in the Wild, Serves Scareware - Part Two 
(2017-01-05 10:22) 

In, a, cybercrime, ecosystem, dominated, by, fraudulent, 
propositions, cybercriminals, continue, actively, populating, 
their, botnet's, infected, population, further, spreading, 
malicious, software, further, earning, fraudulent, revenue, in, 
the, process, of, monetizing, access, to, malware-infected, 
hosts, largely, relying, on, the, utilization, of, an, affiliate- 
network, based, type, of, monetization, scheme. 

We've, recently, intercepted, a, currently, active, malicious, 
black, hat, SEO (search engine optimization), type, of, 
malicious, campaign, serving, malicious, software, to, 
unsuspecting, users, further, monetizing, access, to, 
malware-infected, hosts, largely, relying, on, the, utilization, 
of, an, affiliate-network, based, type, of, monetization, 
scheme. 



In, this, post, we'll, profile, the, campaign, provide, 
actionable, intelligence, on, the, infrastructure, behind it, 
and, discuss, in-depth, the, tactics, techniques, and, 
procedures, of, the, cybercriminals, behind, it. 

Related, malicious, domains, known, to, have, 
participated, in, the, campaign: hxxp://notice-of- 
unreported-income-email.donatehalf.com 

hxxp://911-pictu res.jewishreference.com 

hxxp://911-pictures.dpakman91.com 

hxxp://9-l 1-quotes, midweekpolitics.com 

Sample, URL, redirection, chain: 

hxxp://trivet.gmgroupenterprises.com/style.js - 72.29.67.237 


hxxp://trivet.g mg roupenterprises.com/? 
trivettrivetgmgroupenterprisescom.swf 


hxxp://vpizdutebygugol.xorg.pl/go/ - 193.203.99.111 

- hxxp://vpizdutebygugol.xorg.pl/go4/ 

- hxxp://http://free-checkpc.com/l/d709f38e78s84y76u - 
193.169.12.5 

- hxxp://safe-fileshere.com/s/w58238e9a6dh76k73r/setup 
.exe- 193.169.12.5 


Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 



(193.203.99.111): 

MD5: b761960b60f2e5617b4da2e303969ffl 

MD5:a27ae350b9d29bl3749bl4e376a00b52 

MD5: adbad83fadc017d60972efa65eb3c230 

MD5: bl323d4c7elf6455701d49621edfb545 

MD5:Cl66767c8aa7a8eee0dl2a6d9646b3e8 

Once, executed, a, sample, malware (MD5: 
b761960b60f2e5617b4da2e303969ffl), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://bdx.xorg.pl - 193.203.99.111 

Once, executed, a, sample, malware (MD5: 
a27ae350b9d29bl3749bl4e376a00b52), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://vboxsvr.ovh.net 

hxxp://gwg.xorg.pl - 193.203.99.111 

Once, executed, a, sample, malware (MD5: 
adbad83fadc017d60972efa65eb3c230), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://vboxsvr.ovh.net 
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hxxp://htu.xorg.pl - 193.203.99.111 

Once, executed, a, sample, malware (MD5: 



bl323d4c7elf6455701d49621edfb545), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 

hxxp://htu.xorg.pl - 193.203.99.111 

Once, executed, a, sample, malware (MD5: 
Cl66767c8aa7a8eee0dl2a6d9646b3e8), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://bdx.xorg.pl - 193.203.99.111 

Sample, detection, rate, for, a, sample, malicious, 
executable: 

MD5: 7df300b01243a42b4ddff724999cd4f7 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://updatepcnow.com - 208.73.211.249 

hxxp://safe-updates.com - 50.63.202.54; 54.85.196.8 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(208.73.211.249): 

MD5: 940be22f37e30c90d9fded842c23b24d 
MD5: ef29c61908f678f313aa298343845175 
MD5: 47f5002a0b9d312f28822d92a3962c81 
MD5: ba83653117a6196d8b2a52fbl68b8142 


MD5: f29209flca6c4666207ea732clf32978 



Once, executed, a, sample, malware (MD5: 
940be22f37e30c90d9fded842c23b24d), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://softonic-analytics.net - 46.28.209.74 

hxxp://superscan.sd.en.softonic.com - 46.28.209.70 

hxxp://www.ledyazilim.com - 213.128.83.163 

Once, executed, a, sample, malware (MD5: 
ef29c61908f678f313aa298343845175), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://ksandrafashion.com - 208.73.211.173 

hxxp://www.lafyeri.com 

hxxp://kul ppasur.com 

Once, executed, a, sample, malware (MD5: 
47f5002a0b9d312f28822d92a3962c81), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://ftuny.com/borders.php 

Once, executed, a sample, malware (MD5: 
ba83653117a6196d8b2a52fbl68b8142), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://mhc.ir - 82.99.218.195 

hxxp://naphooclub.com - 208.73.211.173 

hxxp://mdesigner.ir - 176.9.98.58 

Once, executed, a, sample, malware (MD5: 
f29209flca6c4666207ea732clf32978), phones, back. 



to, the, following, malicious, C &C, server, IPs: 

hxxp://ftu ny.com/borders.php 
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Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(50.63.202.54): MD5: 
45497b47a6df2f6216b4c4bebc572dd3 

MD5: d5585af92c512bec3009bl568c8d2f7d 

MD5: 08db02c9873c0534656901d5e9501f46 

MD5: 830b22b4a0520dlb46a493f03a6a0a66 

MD5: 5eelbfa766f367393782972718d4e82f 

Once, executed, a, sample, malware (MD5: 
45497b47a6df2f6216b4c4bebc572dd3), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://lordofthepings.ru - 173.254.236.159 

hxxp://poppylols.ru 

hxxp://ch uckboris.ru 

hxxp://kosherpig.xyz - 195.157.15.100 

Once, executed, a, sample, malware (MD5: 
d5585af92c512bec3009bl568c8d2f7d), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://riddenstorm.net - 208.100.26.234 

hxxp://lordofthepings.ru - 173.254.236.159 



hxxp://yardnews.net - 104.154.95.49 


Once, executed, a, sample, malware (MD5: 
08db02c9873c0534656901d5e9501f46), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://riddenstorm.net - 208.100.26.234 

hxxp://lordofthepings.ru - 173.254.236.159 

hxxp://musicbroke.net - 195.22.28.210 

Once, executed, a, sample, malware (MD5: 
830b22b4a0520dlb46a493f03a6a0a66), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://riddenstorm.net - 208.100.26.234 

hxxp://lordofthepings.ru - 173.254.236.159 

Once, executed, a, sample, malware (MD5: 
5eelbfa766f367393782972718d4e82f), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://riddenstorm.net - 208.100.26.234 

hxxp://lordofthepings.ru - 173.254.236.159 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(54.85.196.8): MD5: 05288748ddccf2e5fedef5d9e8218fef 

MD5: 08936ff676b062a87182535bce23d901 

MD5: ea2b2ea5a0bf2b8f6403b2200e5747a7 

MD5: 8a7e330ad88dcb4ced3e5e843424f85f 



MD5: bf3d996376663feaea6031blll4eb714 


Related, malicious, domains, known, to, have, 
participated, in, the, campaign: hxxp://graveslll.net- 
64.86.17.47 - Email: gertrudeedickens(g)text2re.com 
hxxp://lend inglO.com 

hxxp://ad riafin.com 

hxxp://7sevenseas.com 

hxxp://ironins.com 
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hxxp://trdatasft.com 
hxxp://omeoq ka.cn 
hxxp://trustsh ield.cn 
hxxp://capide.cn 
hxxp://tds-soft.comewithus.cn 
hxxp://g raveslll.net 
hxxp://reversfor5.net 
hxxp://l imestee.net 
hxxp://landlang.net 
hxxp://langlan.net 
hxxp://limpopos.net 
hxxp://cl arksinfact.net 



Sample, URL, redirection, chain: 


hxxp://checkvirus-zone.com - 64.86.16.7 - Email: 
g e rt ru d eed i c ke n s(g) text 2 re. c 0 m 

- hxxp://checkvirus-zone.com/?p = 

Sample, detection, rate, for, a, sample, malicious, 
executable: 

MD5: bl57106188c2debab5d2fl337c708e35 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://pencil-netwok.com/?act=fb &1 = 1 &2 = 0 &3= - 
204.11.56.48; 204.11.56.45; 209.222.14.3; 208.73.210.215; 
208.73.211.152; 204.13.160.107 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs: MD5: 
3c3346426923504571f81caffdac698d 

MD5:ad4244794693b41c775b324c4838982a 

MD5: 6649b79938fl9f7ec9d06b7ba8a7aa8e 

MD5: 0526944bfb43bl4d8f72fdl84cd8c259 

MD5: 29932b0cb61011ffc4834c3b7586d956 

Once, executed, a, sample, malware (MD5: 
3c3346426923504571f81caffdac698d), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://www.vancityprinters.com - 104.31.76.211 

hxxp://vancityprinters.com - 23.94.18.39 



hxxp://vinasonthanh.com - 123.30.109.9 


Once, executed, a, sample, malware (MD5: 
ad4244794693b41c775b324c4838982a), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://banboon.com - 204.11.56.48 

hxxp://bdb.com.my - 103.4.7.143 

hxxp://baulaung.org - 52.28.249.128 

Once, executed, a, sample, malware (MD5: 
6649b79938fl9f7ec9d06b7ba8a7aa8e), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://cubingapi.com - 204.11.56.48 

hxxp://error.cubingapi.com - 204.11.56.48 

Once, executed, a, sample, malware (MD5: 
0526944bfb43bl4d8f72fdl84cd8c259), phones, back, 
to, the, following, malicious, C &C, server, IPs: 
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hxxp://www.vancityprinters.com - 104.31.77.211 

hxxp://vancityprinters.com - 23.94.18.39 

hxxp://vinasonthanh.com - 123.30.109.9 

Once, executed, a, sample, malware (MD5: 
29932b0cb61011ffc4834c3b7586d956), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://vancityprinters.com - 23.94.18.39 



hxxp://vinasonthanh.com - 123.30.109.9 

hxxp://rms365x24.com - 166.78.145.90 

We'll, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, soon, as, new, developments, take, 
place. 
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Historical OSINT - Malicious Malvertising Campaign, 
Spotted at FoxNews, Serves Scareware (2017-01-05 
11:19) 

In, a, cybercrime, ecosystem, dominated, by, fraudulent, 
propositions, cybercriminals, continue, actively, populating, 
their, botnet's, infected, population, with, hundreds, of, 
malicious, releases, successfully, generating, hundreds, of, 
thousands, of, fraudulent, revenue, while, populating, their, 
botnet's, infected, population, largely, relying, on, the, 
utilization, of, affiliate-network, based, type, of, monetizing, 
scheme. 

We've, recently, intercepted, a, currently, active, 
malvertising, campaign, affecting, FoxNews, successfully, 
enticing, users, into, executing, malicious, software, on, the, 
the, affected, PCs, with, the, cybercriminals, behind, it, 
successfully, earning, fraudulent, revenue, largely, relying, 
on, the, utilization, of, an, affiliate-network, based, type, of, 
monetizing, scheme. 

In, this, post, we'll, profile, the, campaign, provide, 
actionable, intelligence, on, the, infrastructure, behind, it, 
and, discuss, in-depth, the, tactics, techniques, and, 
procedures, of, the, cybercriminals, behind, it. 

Sample, URL, redirection, chain: 



hxxp://topprornooffer.corn/vsrn/index.htrnl - 85.17.254.158; 
69.43.161.174 

- hxxp://78.47.132.222/al2/index.php? 

url = http://truconv.com/?a = 125 &s=4al2 - (78.47.132.222) 

- hxxp://redirectclicks.com/?accs=845 &tid = 338 - 
69.172.201.153; 176.74.176.178; 64.95.64.194 

- hxxp://http://redirectclicks.com/?accs=845 &tid = 339 

Related, malicious, domains, known, to, have, 
participated, in, the, campaign: hxxp://truconv.com - 
78.46.88.202 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(78.46.88.202): MD5: 
473e3615795609a091a2f2d3dlbe2d00 

MD5: 9e51c29682a6059b9b636db8bf7dcc25 

MD5: 08a50ebcaa471cd45b3561c33740136d 

MD5: e7d5f7a90ddfalfbe8dfce32d6e4alfl 

MD5: fcdd2790dd5bl898ef8ee29092dca757 

Once, executed, a, sample, malware (MD5: 
473e3615795609a091a2f2d3dlbe2d00), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://yaskiya.cyberfight.de - 78.46.88.202 

Once, executed, a, sample, malware (MD5: 
9e51c29682a6059b9b636db8bf7dcc25), phones, 
back, to, the, following, malicious, C &C, server, IPs: 



hxxp://cfgllllll.go.3322.org - 118.184.176.13 

hxxp://newsoft.kilu.org - 78.46.88.202 

hxxp://my webllllll.go.3322.org 

hxxp://35free.net - 5.61.39.56 

hxxp://newsoftl.go.3322.org 

hxxp://newsoftll.go.3322.org 

Once, executed, a, sample, malware (MD5: 
08a50ebcaa471cd45b3561c33740136d), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://darthvader.dyndns.tv 

hxxp://wwwl2.subdomain.com - 78.46.88.202 
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Once, executed, a, sample, malware (MD5: 
e7d5f7a90ddfalfbe8dfce32d6e4alfl), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://tundeghanawork.co.gp - 78.46.88.202 

Once, executed, a, sample, malware (MD5: 
fcdd2790dd5bl898ef8ee29092dca757), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://newsoft.go.3322.org - 221.130.179.36 

hxxp://cfgllllll.go.3322.org - 118.184.176.13 

hxxp://newsoft.kiiu.org - 78.46.88.202 

hxxp://users6.nofeehost.com - 67.208.91.110 



Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(69.172.201.153): 

MD5: C9ca43032633584ff2ae4e4d7442fl23 

MD5: a099766f448acd6b032345dfd8c5491d 

MD5: da39ccb40blc80775e0aa3ab7cefb4b0 

MD5: 85750b93319bd2cf57e445elb4850b08 

MD5: e521b31eb97d6d25e3dl65f2fe9ca3ba 

Once, executed, a, sample, malware (MD5: 
C9ca43032633584ff2ae4e4d7442fl23), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://os.tokoholapisa.com - 54.229.133.176 

hxxp://down2load.net - 69.172.201.153 

hxxp://cdn.download2013.net - 185.152.65.38 

Once, executed, a, sample, malware (MD5: 
a099766f448acd6b032345dfd8c5491d), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://chicostara.com - 91.142.252.26 

hxxp://suewyl I ie.com 

hxxp://dewpoint-eg.com - 195.157.15.100 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(176.74.176.178): 



MD5: 116d07294fb4b78190f44524145eb200 


MD5: f9e71f66e3aae789b245638a00b951a8 

MD5: Id6d4a64a9901985b8a005eal66df584 

MD5: acfala5f290c7dd4859b56b49be41038 

MD5: b63fd04a8cdf69fb7215a70ccd0aef27 

Once, executed, a, sample, malware (MD5: 
116d07294fb4b78190f44524145eb200), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://www.on86.com - 69.172.201.153 

hxxp://return.uk.uniregistry.com - 176.74.176.178 

Once, executed, a, sample, malware (MD5: 
f9e71f66e3aae789b245638a00b951a8), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://www.iinkbyte.com - 69.172.201.153 

hxxp://return.uk.uniregistry.com - 176.74.176.178 

Once, executed, a, sample, malware (MD5: 
Id6d4a64a9901985b8a005eal66df584), phones, 
back, to, the, 117 

following, malicious, C &C, server, IPs: 

hxxp://www.pnmchgameserver.com - 69.172.201.153 

hxxp://return.uk.uniregistry.com - 176.74.176.178 

Once, executed, a, sample, malware (MD5: 
acfala5f290c7dd4859b56b49be41038), phones, back. 



to, the, following, malicious, C &C, server, IPs: 

hxxp://www.97dn.com - 45.125.35.85 

hxxp://www.97wg.com - 69.172.201.153 

hxxp://return.uk.uniregistry.com - 176.74.176.178 

Once, executed, a, sample, malware (MD5: 
b63fd04a8cdf69fb7215a70ccd0aef27), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://pajak.yogya.com - 69.172.201.153 

hxxp://www.yogya.com 

hxxp://return.uk.uniregistry.com - 176.74.176.178 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(64.95.64.194): MD5: 
7ca6214e3b75bclf7a41aef3267afc29 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://freshtravei.net - 184.168.221.36 

hxxp://experiencetravei.net - 217.174.248.145 
hxxp://freshyei iow.net 
hxxp://experienceyei iow.net 
hxxp://freshciose.net 
hxxp://experienceciose.net 



Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(69.43.161.174): 

MD5: 674fca39cafl8320e5a0e5fc45527ba4 

MD5:7017a26b53bc0402475d6b900a6c98ae 

MD5: 0b61f6dfadddl41a91c65c7f290b9358 

MD5:4d5bc6b69db093824aa905137850e883 

MD5: 201dee0da7b7807808d681510317ab59 

Once, executed, a, sample, malware (MD5: 
674fca39cafl8320e5a0e5fc45527ba4), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://aahydrogen.com - 208.73.210.214 

hxxp://g reatinstant.net 

hxxp://g insdirect.net 

hxxp://autoupioaders.net - 185.53.177.9 

Once, executed, a, sample, malware (MD5: 
7017a26b53bc0402475d6b900a6c98ae), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://w.wfetch.com - 69.43.161.174 

hxxp://wwl.w.wfetch.com - 72.52.4.90 

Once, executed, a, sample, malware (MD5: 
4d5bc6b69db093824aa905137850e883), phones, 
back, to, the, following, malicious, C &C, server, IPs: 



hxxp://greattaby.com - 69.43.161.174 
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hxxp://ww41.greattaby.com - 141.8.224.79 

Once, executed, a, sample, malware (MD5: 
201dee0da7b7807808d681510317ab59), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://layer-ads.de - 69.43.161.174 

Sample, URL, redirection, chain: 

hxxp://bonuspromooffer.com - 208.91.197.46; 141.8.226.14; 
204.11.56.45; 204.11.56.26; 208.73.210.215; 
208.73.211.246; 82.98.86.178 

- hxxp://promotion-offer.com/vsm/adv/5?a=cspvm-sst-ozbc- 
sst &l = 370 &f=cs_3506417142 &ex=l &ed = 2 &h = 

&sub=csp &prodabbr=3P _UVSM - 208.91.197.46; 
204.11.56.48; 204.11.56.45; 204.11.56.26; 63.156.206.202; 
63.149.176.12 

- hxxp://easywebchecklive.com/l/fileslist.js - 94.247.2.215 

- hxxp://78.47.132.222/a 12/index2.php 

- hxxp://78.47.132.221/al2/pdf.php?u = i 1 _0 

- hxxp://78.47.132.221/al2/aff _12.exe?u = i 1 _0 &spl=4 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs 
(208.91.197.46): MD5: 
bl3flaf8fc426e350dfll565dcf281e8 



MD5: al89b3334fbd9cd357aedff22c672e9c 


MD5: da53b068538ff03e2fcl36c7d0816e39 

MD5:ec08a877817c749597396e6b34b88e78 

MD5: b9e7bf23de901280e62fd68090b5b8fa 

Once, executed, a, sample, malware (MD5: 
bl3flaf8fc426e350dfll565dcf281e8), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://dtrack.sslsecurel.com - 193.166.255.171 

hxxp://staticrr.paleokits.net - 205.251.219.192 

hxxp://dtrack.seed ls.com 

hxxp://staticrr.sslsecu rel.com 

Once, executed, a, sample, malware (MD5: 
al89b3334fbd9cd357aedff22c672e9c), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://staticrr.paleokits.net - 54.230.11.231 

hxxp://staticrr.sslsecurel.com - 193.166.255.171 

hxxp://staticrr.sslsecure2.com 

hxxp://staticrr.sslsecure3.com - 208.91.197.46 

Once, executed, a, sample, malware (MD5: 
ec08a877817c749597396e6b34b88e78), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://sky worldent.com 

hxxp://sol itaireinfo.com 



hxxp://speedholidays.com - 206.221.179.26 

Once, executed, a, sample, malware (MD5: 
b9e7bf23de901280e62fd68090b5b8fa), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://api.v2.secdls.com 

hxxp://api.v2.sslsecurel.com - 193.166.255.171 

hxxp://a pi. v2.sslsecure2.com 

hxxp://api.v2.sslsecure3.com - 208.91.197.46 
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Related, malicious MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs: MD5: 
969601cbf069a849197289e042792419 

We'll, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, developments, take, place. 
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Who’s Who in Cyber Crime for 

2007? - New Media Malware 

Gang 

• The Gang speaks out - “get lost” and die() 

• Dots dots dots 

• musicbox1.cn/iframe.php refreshes 
textdesk.com - refreshing Storm Worm 
domains - eliteproject.cn; takenames.cn; 
blOcker.info; space-sms.info 

• French government’s Lybia site hack 
assessment ends up to 208.72.168.176 - 
the gang’s main IP 


Historical OSINT - Inside the 2007-2009 Series of 
Cyber Attacks Against Multiple International 
Embassies (2017-05-29 08:28) 

Remember, the, [l]Russian, Business, Network, and, 
the. New, Media, Malware, Gang? 

It's, been, several, years, since, I, last, posted, an, update, 
regarding, the, group's, activities, including, the, direct, 
establishing, of, a, direct, connection, between, the, 

[2]Russian, Business, Network, the, [3]New, Media, 
Malware, gang, including, a, variety, of, high, profile, Web, 
site, compromise, campaigns. 

What's, particularly, interesting, about, the, group's, 
activities, is, the, fact, that, back, in, 2007, the, group's, 
activities, used, to, dominate, the, threat, landscape, in, a. 



targeted, fashion, including, the, active, utilization, of, client- 
side, exploits, and, the, active, exploitation, of, legitimate, 
Web, sites, successfully, positioning, the, group, including, 
the, Russian, Business, Network, as, a, leading, provider, of, 
malicious, activities, online, leading, to, a, series, of, 
analyses, successfully, detailing, the, activities, of, the, 
group, including, the, direct, establishing, of, a, connection, 
between, the. New, Media, Malware, Gang, the, Russian, 
Business, Network, and, the. Storm, Worm, botnet. 

In, this, post. I'll, provide, a, detailed, analysis, of, the, 
group's, activities, discuss, in, the, depth, the, tactics, 
techniques, and, procedures, (TTPs), of, the, group, including, 
a, direct, establishing, of, a, connection, between, the. New, 
Media, Malware, Gang, the, Russian, Business, Network, and, 
the, direct, compromise, of, a, series, of, high, profile, Web, 
site, compromise, campaigns. 

Having, successfully, tracked, down, and, profiled, the, 
group's, activities, for, a, period, of, several, years, and, 
based, on, the, actionable, intelligence, provided, regarding, 
the, group's, activities, we, can, easily, establish, a, direct, 
connection, between, the. New, Media, Malware, Gang, and, 
the, Russian, Business, Network, including, a, 122 

series, of, high, profile, Web, site, compromise, campaigns. 

Key Summary Points: 

- RBN Connection, New Media Malware Gang connection -" ai 
siktiY' " DieO", money mule recruitment, money laundering of 
virtual currency 

- Actionable CYBERINT data to assist law enforcement, 
academics and the private sector in ongoing or past 
cybercrime investigations 



- Complete domain portfolios registered up to the present 
day using the same emails used to register the malicious 
domains during 2007-2009 to assist law enforcement, 
academics and the private sector in catching up with their 
malicious activities over the years 

- Detailed analysis of each and every campaign's domain 
portfolios (up to present day) further dissecting the 
fraudulent schemes launched by the same cybercriminals 
that embedded malware on the embassies' web sites 

- Complete IP Hosting History for each and every of the 
malicious domains/command and control servers during the 
time of the attack 

-The "Big Picture" detailing the inter-connections between 
the campaigns, with historical OSINT data pointing to the 

"New Media Malware Gang", back then customers of the 
Russian Business Network Let's, profile, the, group's, 
activities, including, a, direct, establishing, of, a, connection, 
between, the, Russian, Business, Network, the. New, Media, 
Malware, Gang, and, the. Storm, Worm, botnet. 

In, 2007, I, 

[4] profiled 

, the, direct, compromise, of, the, Syrian, Embassy, in, 
London, including, a, related, compromise of, the, 

[5] USAID.gov compromised, malware and exploits 
served, the, [6]U.S Consulate St. Petersburg Serving 
Malware, [7]Bankof India Serving Malware, [8]French 
Embassy in Libya Serving Malware, [9]Ethiopian 
Embassy in Washington D.C 



Serving Malware, [10]Embassy of India in Spain 
Serving Malware, [ll]Azerbaijanian Embassies in 
Pakistan and Hungary Serving Malware, further, 
detailing, the, malicious, activities, of, the, Russian, Business, 
Network, and, the. New, Media, Malware, Gang. 

Let's profile, the, campaigns, and, discuss, in, depth, the, 
direct, connection, between, the, group's, activities, the, 
Russian, Business, Network, and, the. New, Media, Malware, 
Gang. 

sicil.info - on 2007-09-26 during the time of the attack, the 
domain was registered using the srvs4you(g)gmail.com email. 
The domain name first appeared online on 2006-06-10 with 
an IP 213.186.33.24. On 2007-07-11, it changed IPs to 
203.121.79.71, followed by another change on 2008-01-06 
to 202.75.38.150, another change on 2008-05-06 

to 203.186.128.154, yet another change on 2008-05-18 to 
190.183.63.103, and yet another change on 2008-07-27 

to 190.183.63.56. 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(sicil.info): MD5: 4802db20da46fca2al896d4c983bl3ba 

MD5: f9434d86ef2959670b73a79947b0f4d2 

MD5: 32dba64ae55e7bb4850e27274da42dlb 

MD5: Cd6a7ff6388fbd94b7ee9cdc88ca8f4d 

MD5: 57dff9e8154189f0a09fb62450decac6 

Known, to, have, responded, to, the, same, 
malicious, C &C, server, IPs (sicil.info), are, also, the, 
following, malicious, domains: 



hxxp://144.217.69.62 

hxxp://63.246.128.71 

123 

hxxp://207.150.177.28 
hxxp://66.111.47.62 
hxxp://66.111.47.4 
hxxp://66.111.47.8 

Related, malicious, MD5s, known, to, have, 
responded, to, the, same, malicious, C &C, server, IPs 
(213.186.33.24): MD5: 
Ia08c0ce5abl5e6fd8f52cd99ea64acb 

MD5:95cc3a0243aa050243ab858794cld221 

MD5: cc63d67282789e03469f2e6520c6de80 

MD5: 3829506c454b86297d2828077589cbf8 

MD5: Iel8bl7149899d55d3625d47135a22a7 

Once, executed, a, sample, malware (MD5: 
Ia08c0ce5abl5e6fd8f52cd99ea64acb), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://ioasis.org - 208.112.115.36 

hxxp://polyhedrusgroup.com - 143.95.229.33 

hxxp://espoirsetvie.com - 213.186.33.24 

hxxp://ladiesdehaan.be - 185.59.17.113 



hxxp://chonburicoop.net - 27.254.96.151 

hxxp://ferienwohnung-walchensee-pur.de - 109.237.138.48 

Related posts: [12]Dissecting a Sample Russian 
Business Network (RBN) Contract/Agreement Through 
the Prism of RBN's AbdAllah Franchise 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(Oki.ru; 89.179.174.156): 

MD5: Cd33ea55b2dl3df592663fl8e6426921 

MD5: 8e0c7757b82dl4b988afac075e8ed5dc 

MD5: e6aaafcafdd0a20d6dbe7f8c0bf4d012 

MD5: e513alb25e59670f777398894dfe41b6 

MD5: 0fad43c03d80aleb3a2clae9e9a6c9ed 

MD5: 6elb789f0df30ba0798fbc47cblceclc 

MD5: 9f02232ed0ee609c8dblb98325beaa94 

Once, executed, a, sample, malware (MD5: 
e6aaafcafdd0a20d6dbe7f8c0bf4d012), phones, back, 
to, the, following, C &C, server, IPs: 

hxxp://lordofthepings.ru (173.254.236.159) 

hxxp://poppylols.ru 

hxxp://ch uckboris.ru 

hxxp://kosherpig.xyz 

hxxp://ladyhaha.xyz 



hxxp://porkhalal.site 

hxxp://rihannafap.site 

hxxp://bieberfans.top 

hxxp://runands.top 

hxxp://frontlive.net 

hxxp://offerl ive.net 

h XX p: //f ro n tse rve. n et 

h XX p: //off e rse rve. n et 

hxxp://hanghello.ru 
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hxxp://hang hello, net 
hxxp://septemberhel lo.net 
hxxp://hang mi ne.net 
hxxp://septembermi ne.net 
hxxp://hanglive.net 
hxxp://wrongserve.ru 
hxxp://wrongserve.net 
hxxp://madel ive.net 

Once, executed, a, sample, malware (MD5: 
e513alb25e59670f777398894dfe41b6), phones, 
back, to, the, following, malicious, C &C, server, IPs: 



hxxp://riddenstorm.net - 208.100.26.234 

hxxp://lordofthepings.ru - 173.254.236.159 

hxxp://yardlive.ru 

hxxp://yardlive.net 

hxxp://musiclive.net - 141.8.225.124 

hxxp://yardserve.net 

hxxp://musicserve.net - 185.53.177.20 

hxxp://wenthel lo.net 

hxxp://spendhel lo.ru 

hxxp://wentmi ne.net 

hxxp://spend mi ne.net 

hxxp://spend hello.net 

hxxp://joinlive.net 

hxxp://wentserve.ru 

hxxp://hang hello, net 

hxxp://joinhello.net 

hxxp://xl2345.org - 46.4.22.145 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(miron555.org): MD5: 
0e423596c502cle28cce0c98df2a2b6d 



MD5: e75d92defbllafe50a8cc51dfe4fb6ee 


MD5: adcedd763f541e625f91030ee4de7cl9 

MD5: 2c664a4cl374b3d887f59599704aef6c 

MD5: 2c664a4cl374b3d887f59599704aef6c 

MD5: 0e423596c502cle28cce0c98df2a2b6d 

Over the years (up to present day) 
srvs4you@gmail.com is aiso known to have been used 
to register the foiiowing domains: 

hxxp://10lan nlO.org 

hxxp://24cargo.net 

hxxp://ace-assist.biz 

hxxp://acti vation-confirm.com 

hxxp://ad woords.net 

hxxp://a lert-careerbuilder.com 

hxxp://annebehnert.info 

hxxp://apollo-services.net 

hxxp://appolage.org 

hxxp://auctions-u kash.com 
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hxxp://bbcfi nancenews.com 
hxxp://bestg reatoffers.org 



hxxp://blackbird-reg istration.com 
hxxp://bloomborg.biz 
hxxp://busi nessprocl.com 
hxxp://bussol utionsinc.org 
hxxp://caiisto-traci ing.com 
hxxp://caiisto-traci ing.net 
hxxp://caiisto-traci ing.org 
hxxp://canciy-cou ntry.com 
hxxp://casheq.com 
hxxp://cfca-usa.com 
hxxp://cfociaiiy.biz 
hxxp://citizenfi nanciai.net 
hxxp://cityienci ing.net 
hxxp ://ciean2 maii.com 
hxxp://confirm-acti vation.com 
hxxp ://consu itingwiz.org 
hxxp ://cou rierusa-oniine.com 
hxxp ://cristh masx.com 
hxxp ://ci-stan iey.net 
hxxp ://ciariazacheri. info 



hxxp://des-g roup.com 

hxxp://d igital-investment-projects.com 

hxxp://d ns4your.net 

hxxpV/dvasuka.com 

hxxp://easy-mid nig ht.com 

hxxp://easy-transfer.biz 

hxxp://easymid nig ht.com 

hxxp://ecareerstyie.com 

hxxp://ecnoho.com 

hxxp://efinanciai news, biz 

hxxp://ei uxuryauctions.com 

hxxp://eix-itd.net 

hxxp://eix-trad ing.org 

hxxp://eixitd.net 

hxxp://emoney-ex.com 

hxxp://epsincorp.net 

hxxp://equitrust.org 

hxxp://erobersteng.com 

hxxp://erxiog istics.com 

hxxp://esdeais.com 



hxxp://esteman iaks.com 
hxxp://eu-bis.com 
hxxp://eu-cel lular.com 
hxxp://eubiz.org 
hxxp://euwork.org 
hxxpV/expressdeal.info 
hxxp://ezaclo.net 
hxxp://fai rwaylencling.org 
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hxxp://fan-gami ng.org 
hxxp://fci nternatonail.com 
hxxpV/fideiityiend ing.net 
hxxp://fi nanciai-forbes.com 
hxxp://fi nanciainews-us.net 
hxxp://fi rstcapitaigroup.org 
hxxp://f reemydns.org 
hxxp://fremontiend ing.net 
hxxp://fresh-soi utions-maii.com 
hxxp://fresh-soiutions.us 
hxxp ://garnantfou ndation.com 



hxxp://gazenvagen.com 
hxxp://globerental.com 
hxxp://googmail.biz 
hxxp://i-expertadvisor.com 
hxxp://icebart.com 
hxxp://icqdosug.com 
hxxp://iesecurityu pdates.com 
hxxp://i ndigo-consulting.org 
hxxp://i ndigo-job-with-us.com 
hxxp://i ndigojob.com 
hxxp://i ndigovacancies.com 
hxxp://i nncoming.com 
hxxp://i vsentns.com 
hxxp://iwiwlive.net 
hxxp://i wiwonline.net 
hxxp://jobs-in-eu.org 
hxxp://kelerma ket.com 
hxxp://kklfnews.com 
hxxp://knses.com 
hxxp://komodok.com 



hxxp://krdns.biz 
hxxp://ksfcnews.com 
hxxp://ksfcrad io.com 
hxxp://ktes314.org 
hxxp://lda-i mport.com 
hxxp://legal-sol utions.org 
hxxp://igcareer.com 
hxxp://igtcareer.com 
hxxp://i ibrarysp.com 
hxxp://iittiexz.com 
hxxp://mariawebber.org 
hxxp://mega mu ie.net 
hxxp://moneycnn.biz 
hxxp://nj nk.net 
hxxp://ns4ur.net 
hxxp://nytimesnews.biz 
hxxp://o2cash.net 
hxxp://offsoftsoi utions.com 
hxxp://pcpro-tbstu mm.com 
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hxxp://perfect-i nvestments.org 

hxxp://progold-inc.biz 

hxxp://protectedsession.com 

hxxp://razsu ka.com 

hxxp://reutors.biz 

hxxp://rushop.us 

hxxp://science-and-trade.com 

hxxp://secu re-operations.org 

hxxp://secu resitinngs.com 

hxxp://servicessupport.biz 

hxxp://sessionprotected.com 

hxxp://sicil.info 

hxxp://sicil256.info 

hxxp://si mple-investments-mail.org 

hxxp://si mple-investments.net 

hxxp://si mple-investments.org 

hxxp://sp3l ibrary.com 

hxxp://speeduserhost.com 

hxxp://storempi re.com 

hxxp://tas-corporation.com 



hxxp://tas-corporation.net 

hxxp://tascorporation.net 

hxxp://topixus.net 

hxxp://tsrcorp.net 

hxxp://u-file.org 

hxxp://u kashauction.net 

hxxp://u ltragame.org 

hxxp://u nitedfinancegroup.org 

hxxp://vanessakoepp.org 

hxxp://very monkey.com 

hxxp://vesa-g roup.com 

hxxp://vesa-g roup, net 

hxxp://vipvipns.net 

hxxp://vipvipns.org 

hxxp://wondooweria.com 

hxxp://wondoowerka.com 

hxxp://wootpwnseal.com 

hxxp://worldeconomist.biz 

hxxp://wu mtt-westernunion.com 

hxxp://xsoft wares.com 



hxxp://xxx2008xxx.com 
hxxp://you rcashlive.com 
hxxp://yourlive.biz 
hxxp://you rmule.com 

On 2008-09-25 Oki.ru was registered using the 
kseninkopetrcanm.ru emaii. 

The same emaii address is not 

known to have been used to register any additionai domains. 

On 2008-06-19 xl2345.org was registered using the 
xix.xl2345(g)yahoo.com emaii. 

On 2007-09-10 the do¬ 
main use to respond to 66.36.243.97, then on 2007-11-13 it 
changed iPs to 58.65.236.10, foiiowing another change 128 

on 2008-05-06 to 203.186.128.154. No other domains are 
known to have been registered using the same emaii 
address. 

On 2007-06-07, miron555.org was registered using the 
mironbot(g)gmaii.com emaii, foiiowed by another registration 
emaii change on 2008-02-12 to 

nepishite555suda(g)gmaii.com. On 2007-04-24, the domain 
responded to 75.126.4.163. it then changed iPs on 2007-05- 
09 to 203.121.71.165, foiiowed by another change on 2007- 
06-08 to 58.65.239.247, yet another change on 2007-07-15 
to 58.65.239.10, another change on 2007-08-19 to 
58.65.239.66, more iP changes on 2007-09-03 to 
217.170.77.210, and yet another change on 2007-09-18 to 
88.255.90.138. 



Historically (up to present day), mironbot@gmail.com 
is also known to have been used to register the 
following domains: 

hxxp://24-7on I inepharmacy.net 

hxxp://bestmovieson line, info 

hxxp://brig htstonepharma.com 

hxxp://cleapotheke.com 

hxxp://clozor555.info 

hxxp://my-traff.cn 

hxxp://pharmacyit.net 

hxxp://trffc.org 

hxxp://trffc3.ru 

hxxp://xmpharm.com 

In, 2008, I, profiled, the, direct, compromise, of, [13]The 
Dutch Embassy in Moscow Serving Malware, further, 
detailing, the, malicious, and, activity, of, the, Russian, 
Business, Network, and, the. New, Media, Malware, Gang. 

Let's, profile, the, campaign, and, discuss, in-depth, the, 
direct, connection, between, the, group's, activities, and, the, 
direct, compromise, of, the. Embassy's Web, site. 

On 2009-03-04, lmifsp.com was registered using the 
redemption@snapnames.com email. 


On 2007-11-30, it 



used to respond to 68.178.194.64, then on 2008-12-01 it 
changed IPs to 68.178.232.99. 

In, 2008, I, profiled, the, direct, compromise, of, 
[14]Embassy of Brazil in India Compromised, further, 
establishing, a, direct, connection, between, the, group's, 
activities, and, the, Russian, Business, Network. 

Let's, profile, the, campaign, and, discuss, in-depth, the, 
direct, connection, between, the, group's, activities, and, the, 
Russian, Business, Network. 

hxxp://google-analyze.com - 87.118.118.193 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(google-analyze.com - 87.118.118.193): 

MD5: 2bcb74c95f30e3741210c0de0clb406f 

On 2008-10-15, traff.asia was registered using the 
traffon(g)gmail.com email. 

On 2008-06-19, google-analyze.com was registered using 
the incremental(g)list.ru email. On 2007-12-21 it responded 
to 66.36.241.153, then it changed IPs on 2007-12-22 to 
66.36.231.94, followed by another change on 2008-02-03 to 
79.135.166.74, then to 195.5.116.251 on 2008-03-16, to 
70.84.133.34 on 2008-07-31, followed by yet another 
change to 216.195.59.77 on 2008-09-15. 
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On 2008-08-05, google-analystic.net, is, known, to, have, 
responded, to, 212.117.163.162, and, was registered using 
the abusecentre(g)gmail.com email. On 2008-04-11 it used to 
respond to 64.28.187.84, it then changed IPS to 



85.255.120.195 on 2008-08-03, followed by another change 
on 2008-08-10 to 85.255.120.194, then to 85.255.120.197 
on 2008-09-07, to 69.50.161.117 on 2008-09-14, then to 
66.98.145.18 on 2008-10-11, followed by another change on 
2008-10-25 to 209.160.67.56. 

On 2008-11-11, beshragos.com was registered using the 
migejosh(g)yahoo.com email. On 2008-11-11 it used to 
respond to 79.135.187.38. 

In, 2009, I, profiled, the, direct, compromise, of, 
[15]Ethiopian Embassy in Washington D.C Serving 
Maiware, further, detailing, the, group's, activities, further, 
establishing, a, direct, connection, between, the, group's, 
activities, and, the, Russian, Business, Network. 

Let's, profile, the, campaign, and, discuss, in-depth, the, 
direct, connection, between, the, group's, activities, and, the, 
Russian, Business, Network. 

On 2009-01-19, ltvv.com is, known, to, have, responded, 
to, 69.172.201.153; 66.96.161.140; 122.10.52.139; 
122.10.18.138; 67.229.44.15; 74.200.250.130; 
69.170.135.92; 64.74.223.38, and, was registered using the 
mo-gensen(g)fontdrift.com email. 

On 2005-08-27, the domain (ltvv.com) is, known, to, have, 
responded to 198.65.115.93, then on 2006-05-12 

to 204.13.161.31, with yet another IP change on 2010-04-08 
to 216.240.187.145, followed by yet another change on 
2010-06-02 to 69.43.160.145, then on 2010-07-25 to 
69.43.160.145. 


On 2010-01-04, trafficinc.ru was registered using the 
auction(g)r01.ru email. 



On 2009-03-01, trafficmonsterinc.ru was registered using 
the trafficmonsterinc.ru(g)r01-service.ru email. 

On 2009-05-02, usl8.ru, is, known, to, have, responded, to, 
109.70.26.37; 185.12.92.229; 109.70.26.36, and, was 
registered using the belyaev _andrey(g)inbox.ru email. 

Reiated, maiicious, MD5s, known, to, have, phoned, 
back, to, the, same, maiicious, C &C, server, iPs: MD5: 
0b545cdl2231d0a4239ce837cd371166 

MD5: dae41c862130daebcff0e463e2c30e50 

MD5: 601806c0a01926c2a94558148764797a 

MD5: 45f97cd8df4448bbe073a38c264ef93f 

MD5: 94aeba45e6fb4dl7baa4989511e321b3 

Reiated, maiicious, MD5s, known, to, have, phoned, 
back, to, the, same, maiicious, C &C, server, iPs 
(69.172.201.153): 

MD5: 4e0ce2f9f92ac5193c2a383de6015523 

MD5: a38d47fcfdafl4372cea3de850cf487d 

MD5: 014d2flbae3611e016f96a37f98fd4b7 

MD5: daad60cb300101dc05d2ff922966783b 

MD5: 0a775110077e2c583be56e5fb3fa4f09 

Once, executed, a, sampie, maiware (MD5: 
4e0ce2f9f92ac5193c2a383de6015523), phones, back, 
to, the, foiiowing, maiicious, C &C, server, iPs: 


hxxp://pelcpawel.fm.interia.pl - 217.74.66.160 
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hxxp://pelcpawel.fm.interiowo.pl - 217.74.66.160 
hxxp://chicostara.com - 91.142.252.26 
hxxp://suewyl I ie.com 

hxxp://dewpoint-eg.com - 195.157.15.100 

hxxp://sso.anbtr.com - 195.22.28.222 

Once, executed, a, sample, malware (MD5: 
a38d47fcfdafl4372cea3de850cf487d), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://leclyazilim.com - 213.128.83.163 

hxxp://ksanclrafashion.com - 166.78.145.90 

hxxp://lafyeri.com - 69.172.201.153 

hxxp://kulppasur.com - 52.28.249.128 

hxxp://toallaclepapel.com.ar 

hxxp://trafficinc.ru, is, known, to, have, responded, to, 
222.73.91.203 

hxxp://trafficmonsterinc.ru, is, known, to, have, responded, 
to, 178.208.83.7; 178.208.83.27; 91.203.4.112 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs: MD5 

Ce4e2el2eel6d5bde67a3dc2e3da634b 

MD5: 4423e04fb3616512bf98b5a565fccdd7 


MD5: 33f890c294b2ac89dlee657b94e4341d 



MD5: Ic5096c3ce645582ddl8758fe523840a 


MD5: Iefae0b0cb06faacae46584312al2504 

Once, executed, a, sample, malware (MD5: 
Ce4e2el2eel6d5bde67a3dc2e3da634b), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://rms-server.tektonit.ru - 109.234.156.179 

hxxp://365invest.ru - 178.208.83.7 

Once, executed, a, sample, malware (MD5: 
4423e04fb3616512bf98b5a565fccdd7), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://topstat.mcdir.ru - 178.208.83.7 

Once, executed, a, sample, malware (MD5: 
33f890c294b2ac89dlee657b94e4341d), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://cadretest.ru - 178.208.83.7 

Once, executed, a, sample, malware (MD5: 
Ic5096c3ce645582ddl8758fe523840a), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://peicpawei.fm.interia.pi - 217.74.65.161 

hxxp://testtrade.ru - 178.208.83.7 

hxxp://chicostara.com - 91.142.252.26 

in, 2009, i, profiied, the, direct, compromise, of [16]Embassy 
of India in Spain Serving Malware, further, detaiiing, the, 
maiicious, activity, further, estabiishing, a, direct. 



connection, between, the, group's, activities, and, the, 
Russian, Business, Network. 

On 2008-09-07, msn-analytics.net was registered using 
the palfreycrossvw(g)gmail.com email. On 2007-06-17 

it used to respond to 82.98.235.50, it then changed IPs on 

2008- 09-07 to 58.65.234.9, followed by another change 131 

on 2009-11-14 to 96.9.183.149, then to 96.9.158.41 on 

2009- 12-29, and to 85.249.229.195 on 2010-03-09. 

On 2008-07-10, pinoc.org was registered using the 
4ykakabra(g)gmail.com email. On 2008-07-10 it responded to 
58.65.234.9, it then changed IPs on 2008-08-17 to 
91.203.92.13, followed by another change on 2008-08-24 to 
58.65.234.9, followed by yet another change to 
208.73.210.76 on 2009-10-03, and yet another change on 
2009-10-06 

to 96.9.186.245. 

On 2008-09-20, wsxhost.net was registered using the 
palfreycrossvw(g)gmail.com email. On 2008-09-20 
wsxhost.net responded to 58.65.234.9, it then changed IPs 
on 2008-12-22 to 202.73.57.6, followed by another change 
on 2009-05-18 to 202.73.57.11, yet another change on 
2009-06-22 to 92.38.0.66, then to 91.212.198.116 on 2009- 
07-06, yet another change on 2009-08-17 to 210.51.187.45, 
then to 210.51.166.239 on 2009-08-25, and finally to 
213.163.89.54 on 2009-09-05. 

On 2008-06-29 google-analyze.cn was registered using 
the johnvernet(g)gmail.com email. 

Historically (up to present day) 

johnvernet@gmail.com is known to have registered 



the following domains: hxxp://baidustatz.com 

hxxp://edcomparison.com 

hxxp://google-analyze.org 

hxxp://google-stat.com 

hxxp://kol koman.com 

hxxp://m-analytics.net 

hxxp://pinalbal.com 

hxxp://pomokman.com 

hxxp://robokasa.com 

hxxp://rx-wh ite.com 

hxxp://sig4forum.com 

hxxp://theka pita.com 

hxxp://visittds.com 

msn-analytics.net, is, known, to, have, responded, to, 
216.157.88.21; 85.17.25.214; 216.157.88.22; 85.17.25.215; 
85.17.25.202; 216.157.88.25; 5.39.99.49; 167.114.156.214; 
5.39.99.50; 66.135.63.164; 85.17.25.242; 69.43.161.210 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs: MD5: 
eb95798965al8e7844f4c969803fbaf8 

MD5: 106b6e80be769fa4a87560f82cd24b57 


MD5: 519a9flcbl6399c515723143bf7ff0d0 



MD5: b537c3d65ecc8ac0f3cd8d6bf3556da5 

MD5: 613e8c31edf4dalb8f8de9350al86f41 

Once, executed, a, sample, malware (MD5: 
eb95798965al8e7844f4c969803fbaf8), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://vboxsvr.ovh.net 

hxxp://thinstall.abetterinternet.com - 85.17.25.214 

hxxp://survey-winner.net - 94.229.72.117 

hxxp://survey-winner.net - 208.91.196.145 

hxxp://comedy-planet.com 

Once, executed, a, sample, malware (MD5: 
106b6e80be769fa4a87560f82cd24b57), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

132 

hxxp://memberfortieth.net 

hxxp://beg inadvance.net 

hxxpV/knownadvance.net 

hxxp://begi nstranger.net 

hxxpV/knownstranger.net - 23.236.62.147 

Once, executed, a, sample, malware (MD5: 
b537c3d65ecc8ac0f3cd8d6bf3556da5), phones, back, 
to, the, following, malicious, C &C, server, IPs: 


hxxp://foi iowfortieth.net 



hxxp://memberfortieth.net 

hxxp://beg inadvance.net 

hxxp://knownadvance.net 

hxxp://begi nstranger.net 

hxxp://knownstranger.net - 23.236.62.147 

pinoc.org, is, known, to, have, responded, to, 
103.224.212.222; 185.53.179.24; 185.53.179.9; 
185.53.177.10; 188.40.174.81; 46.165.247.18; 
178.162.184.130 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs: MD5 

000125b0d0341fc078c7bdb5b7996f9e 

MD5: b3bbeaca85823d5c47e36959b286bb22 

MD5: 4faa9445394ba4edf73dd67e239bcbca 

MD5: 9f3b9de8a3e7cd8ee2d779396799bl7a 

MD5: 38d07b2all89eblfd64296068fbaf08a 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://os.oniineappiicationsdownioads.com - 
103.224.212.222 

hxxp://static.greatappsdownioad.com - 54.230.187.48 

hxxp://wwl.os.oniineappiicationsdownioads.com - 
91.195.241.80 



hxxp://os2.on I ineapplicationsdownloads.com - 
103.224.212.222 

hxxp://wwl.os2.oniineappiicationsdownioads.com - 
91.195.241.80 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://errors.myserverstat.com - 103.224.212.222 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://scripts.div4.com - 103.224.212.222 

hxxp://ww38.scripts.div4.com - 185.53.179.29 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://compiaintsboard.com - 208.100.35.85 

hxxp://7ew8gov.firoii-sys.com - 103.224.212.222 

hxxp://yx-vom2s.hdmediastore.com - 45.33.9.234 

hxxp://q8x3i<b.wwwmediahosts.com - 204.11.56.48 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://newworidorderreport.com - 50.63.202.29 

hxxp://69jh93.firoii-sys.com - 103.224.212.222 
hxxp://bpvvllndq5.wwwmediahosts.com - 204.11.56.48 
hxxp://Odbhwuja.hdmediastore.com - 45.33.9.234 
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wsxhost.net, is, known, to, have, responded, to, 
184.168.221.45; 50.63.202.82; 69.43.161.172 

Related, malicious, MD5s, known, to, have, 
responded, to, the, same, malicious, C &C, server, 
IPs: MD5: 117036e5a7b895429e954f733e0acada 

MD5: 1172e5a2ca8a43a2a2274f2c3b76a7be 

MD5: 6e330742d22c5a5e99e6490de65fabd6 

MD5: flc9cd766817ccf55e30bb8af97bfdbb 

MD5: 7f4145bc211089d9d3c666078c35cf3d 

Once, executed, a, sample, malware (MD5: 
117036e5a7b895429e954f733e0acada), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://a macweb.org 

hxxp://su peraffiliatehookup.com 

hxxp ://germanamerica ntax.com 

hxxp://lineaidea.it 

hxxp://speedysalesletter.com 

Once, executed, a, sample, malware (MD5: 
1172e5a2ca8a43a2a2274f2c3b76a7be), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://allstatesdui.com - 50.63.202.36 

hxxp://wellingtontractorparts.com - 72.167.232.158 

hxxp://amacweb.org - 160.16.211.99 



hxxp://nctcogic.org - 207.150.212.74 

Once, executed, a, sample, malware (MD5: 
6e330742d22c5a5e99e6490de65fabd6), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://santele.be - 176.62.170.69 

hxxp://fever98radio.com - 141.8.224.93 

hxxp://brushnpaint.com - 74.220.219.132 

hxxp://jameser.com - 54.236.195.15 

hxxp://hillsdemocrat.com - 67.225.168.30 

Once, executed, a, sample, malware (MD5: 
flc9cd766817ccf55e30bb8af97bfdbb), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://riddenstorm.net - 208.100.26.234 

hxxp://lordofthepings.ru - 109.70.26.37 

hxxp://afterpeace.net - 195.38.137.100 

hxxp://sellhouse.net - 184.168.221.45 

Once, executed, a, sample, malware (MD5: 
7f4145bc211089d9d3c666078c35cf3d), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://riddenstorm.net - 208.100.26.234 

hxxp://lordofthepings.ru - 109.70.26.37 

hxxp://forcerain.net 

hxxp://afterrain.net - 50.63.202.43) 



hxxp://forcera in.ru 
hxxp://forceheld.net 

google-analyze.cn, is, known, to, have, responded, to, 
103.51.144.81; 184.105.178.89; 65.19.157.235; 
124.16.31.146; 134 

123.254.111.190; 

103.232.215.140; 

103.232.215.147; 

205.164.14.78; 

50.117.116.117; 

50.117.120.254; 

205.164.24.45; 50.117.116.205; 50.117.122.90; 
184.105.178.84; 50.117.116.204 

Related malicious MD5s known to have phoned back 
to the same malicious C server, IPs: MD5: 
df05460b5e49cbba275f6d5cbd936dld 

MD5: 7732ffcf2f4cfld834b56dflf9d815c9 

MD5: 615eb515dal8feb2b87c0fb5744411ac 

MD5: 24fec5b3acld20e61f2a3de95aebl77c 

MD5: 348eed9b371ddb2755eb5c2bfaa782ee 

On 2008-08-27, yahoo-analytics.net was registered using 
the fuadrenalray(g)gmail.com email. 



- google-analyze.org - Email: johnvernet(g)gmail.com - on, 
2008-07-09, google-analyze.org , is, known, to, have, 
responded, to, 58.65.234.9, followed, by, a, hosting, change, 
on, 2008-08-17, with, google-analyze.org, responding, to, 
91.203.92.13, followed, by, another, hosting, change, on, 

2008- 08-24, with, google-analyze.org, responding, to, 

202.73.57.6. 

- qwehost.com - Email: 4ykakabra(g)gmail.com - on, 2009- 
05-18, qwehost.com, is, known, to, have, responded, to, 
202.73.57.11, followed, by, a, hosting, change, to, 
202.73.57.11, followed, by, another, hosting, change, on, 

2009- 06-22, pointing, to, 92.38.0.66, followed, by, yet, 
another, hosting, change, pointing, to, 91.212.198.116, 
followed, by, yet, another, hosting, change, on, 2009-08-17, 
pointing, to, 210.51.187.45. 

- zxchost.com - Email: 4ykakabra(g)gmail.com - on, 2009- 
03-02, zxchost.com, is, known, to, have, responded, to, 

202.73.57.6, followed, by, a, hosting, change, on, 2009-05- 
18, pointing, to, 202.73.57.11, followed, by, yet, another, 
hosting, change, on, 2009-06-22, pointing, to, 92.38.0.66, 
followed, by, yet, another, hosting, change, on, 2009-08-25, 
pointing, to, 210.51.166.239. 

- odile-marco.com - Email: OdileMarcotte(g)gmail.com - on, 
2009-05-18, odile-marco.com, is, known, to, have, 
responded, to, 202.73.57.6, followed, by, a, hosting, change, 
on, 2009-06-22, pointing, to, 202.73.57.11, followed, by, yet, 
another, hosting, change, on, 2009-07-06, pointing, to, 
92.38.0.66, followed, by, yet, another, hosting, change, on, 
2009-08-17, pointing, to, 91.212.198.116. 

- edcomparison.com - Email: johnvernet(g)gmail.com - on, 
2009-05-18, edcomparison.com, is, known, to, have, 
responded, to, 202.73.57.6, followed, by, a, hosting, change, 
on, 2009-06-22, pointing, to, 202.73.57.11, followed, by, yet. 



another, hosting, change, on, 2009-07-13, this, time, 
pointing, to, 92.38.0.66, followed, by, yet, another, hosting, 
change, on, 2009-08-17, this, time, pointing, to, 
210.51.187.45. 

- fuadrenal.com - Email: fuadrenalRay(g)gmail.com - on, 
2009-01-26, fuadrenal.com, is, known, to, have, responded, 
to, 202.73.57.6, followed, by, a, hosting, change, on, 2009- 
05-18, pointing, to, 202.73.57.11, followed, by, yet, another, 
hosting, change, on, 2009-07-13, this, time, pointing, to, 
91.212.198.116, followed, by, yet, another, hosting, change, 
on, 2009-08-17, this, time, pointing, to, 91.212.198.116. 

- rx-white.com - Email: johnvernet(g)gmail.com - on, 2009- 
05-18, rx-white.com, is, known, to, have, responded, to, 
202.73.57.6, followed, by, a, hosting, change, on, 2009-06- 
22, pointing, to, 202.73.57.11, followed, by, yet, another, 
hosting, change, on, 2009-07-06, this, time, pointing, to, 
92.38.0.66, followed, by, yet, another, hosting, change, on, 
2009-08-17, this, time, pointing, to, 91.212.198.116. 

In, 2009, I, profiled, the, direct, compromise, of, 

[17]Embassy of Portugal in India Serving Malware, 

further, establishing, a, direct, connection, between, the, 
group's, activities, and, the, Russian, Business, Network. 
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On, 2009-03-30, ntkrnipa.info, is, known, to, have, 
responded, to, 83.68.16.6. Related, domains, known, to, 
have, participated, in, the, same, campaign - 

betstarwager.cn; ntkrnlpa.cn. 

In, 2007, I, profiled, the, direct, compromise, of, French 
Embassy in Libya Serving Malware, further, establishing, a, 
direct, connection, between, the, group's, activities, and, the, 
Russian, Business, Network. 



On, 2008-11-05, tarog.us (Email: bobbylO(g)mail.zp.ua), 
used, to, respond, to, 67.210.13.94, followed, by, a, hosting, 
change, on, 2009-03-02, pointing, to, 208.73.210.121. 
Related, domains, known, to, have, participated, in, the, 
campaign: fernandol23.ws; winhex.org - Email: 

[18] ipspec(g)gmail.com On, 2007-02-18, winhex.org, used, 
to, respond, to, 195.189.247.56, followed, by, a, hosting, 
change, on, 2007-03-03, pointing, to, 89.108.85.97, 
followed, by, yet, another, hosting, change, on, 2007-04-29, 
this, time, pointing, to, 203.121.71.165, followed, by, yet, 
another, hosting, change, on, 2007-08-19, this, time, 
pointing, to, 69.41.162.77. 

On, 2007-11-23, kjiksjwflk.com (Email: 
sflgjlkj45(g)yahoo.com), used, to, respond, to, 58.65.239.114, 
followed, by, a, hosting, change, on, 2009-02-16, pointing, 
to, 38.117.90.45, followed, by, yet, another, hosting, change, 
on, 2009-03-09, this, time, pointing, to, 216.188.26.235. 

In, 2009, I, profiled, the, direct, compromise, of, 

[19] Azerbaijanian Embassies in Pakistan and Hungary 
Serving Malware, further, establishing, a, direct, 
connection, between, the, group's, activities, and, the, 
Russian, Business, Network. 

Related, domains, known, to, have, participated, in, 
the, campaign: 

- hxxp://filmlifemusicsite.cn; hxxp://promixgroup.cn; 
hxxp://betstarwager.cn; hxxp://clickcouner.cn In, 2009, I, 
profiled, the, direct, compromise, of, [20]USAID.gov 
compromised, malware and exploits served, further, 
establishing, a, direct, connection, between, the, gang's, 
activities, and, the. New, Media, Malware, Gang. 

Related, domains, known, to, have, participated, in, 
the, campaign: 



hxxp://should-be.cn - Email: admin(g)brut.cn; 
hxxp://orderasia.cn; hxxp://fileuploader.cn In, 2007, I, 
profiled, the, direct, compromise, of, [21]U.S Consulate St. 
Petersburg Serving Malware, further, establishing, a, 
direct, connection, between, the, group's, activities, and, the, 
Russian, Business, Network. 

On, 2007-08-31, verymonkey.com (Email: 
srvs4you(g)gmail.com), used, to, respond, to, 212.175.23.114, 
followed, by, a, hosting, change, on, 2007-09-07, pointing, 
to, 209.123.181.185, followed, by, yet, another, hosting, 
change, on, 2007-09-27, this, time, pointing, to, 
88.255.90.50, followed, by, yet, another, hosting, change, 
on, 2008-11-11, this, time, pointing, to, 216.188.26.235. 

What's, particularly, interested, about, the, gang's, activities, 
is, the, fact, that, back, in 2007, the, group, pio-neered, for, 
the, first, time, the, utilization, of, Web, malware, 
exploitation, kits, further, utilizing, the, infrastructure, of, 
the, Russian, Business, Network, successfully, launching, a, 
multi-tude, of, malicious, campaigns, further, spreading, 
malicious, software, further, utilizing, the, infrastructure, of, 
the, Russian, Business, Network. 

Related posts: 

[22] Syrian Embassy in London Serving Malware 

[23] USAID.gov compromised, malware and exploits served 

[24] U.S Consulate St. Petersburg Serving Malware 

[25] Bank of India Serving Malware 

[26] French Embassy in Libya Serving Malware 
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[27] The Dutch Embassy in Moscow Serving Malware 

[28] Ethiopian Embassy in Washington D.C Serving Malware 

[29] Embassy of India in Spain Serving Malware 

[30] Azerbaijanian Embassies in Pakistan and Hungary 
Serving Malware 
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25. https://web- 

beta.arch ive.or a /web/2 0101016191941/http://ddanchev. blo g 
s pot.eom/2007/08/bank-of-india-servin 

g -malware.html 

26. https://web- 

beta.arch i ve.or a /web/2 010112 62020 ll/http://ddanchev. blo g 

























































S DOt.eom/2007/12/have-vour-mal ware-in 
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-timelv-fashion.html 

27. httDs://web- 

beta.archive.or a /web/2 0080221124306/http://ddanchev. blo g 
s pot.eom/2008/01/dutch-embassv-in-mos 

cow-servin g -maiware.htmi 

28. https://web- 

beta.archive.Qr g /web/2012Q3Q4Q753Q3/http://ddanchev.bio g 

s pot.eom/2009/03/ethiopian-embassv-in 

-washin g ton-dc.htmi 

29. https://web- 

beta.arch ive.or g /web/2 013122 2200157/httP://ddanchev.bio g 
s oot.com/2009/01/embassv-of-india-in- 

s oain-servin g .htmi 

30. https://web- 

beta.archive.or g /web/20120303071653/http://ddanchev.bio g 

s pot.eom/2009/03/azerbai i anian-embass 

ies-in-oakistan-and.htmi 
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Historical OSINT - A Portfolio of Exploits Serving 
Domains (2017-05-29 09:04) With, the, rise, of, Web, 
maiware, expioitation, kits, continuing, to, proiiferate, 
cybercriminais, are, poised, to, continue, earning, frauduient, 
revenue, in, the, process, of, monetizing, access, to, maiware- 
infected, hosts, iargeiy, reiying, on, the, active,y utiiization. 







































of, client-side, exploits, further, spreaing, malicious, software, 
potentially, compromising, the, confidentiality, availability, 
and, integrity, of, the, targeted, host, to, a, multi-tude, of, 
malicious, software. 

What, used, to, be, an, ecosystem, dominated, by, 
proprietary, DIY (do-it-yourself) malware and exploits, 
generating, tools, is, today's, modern, cybercrime, 
ecosystem, dominated, by, Web, malware, exploitation, kits, 
successfully, empowering, novice, cybercriminals, with, the, 
necessary, tactics, techniques, and, procedures, for, the, 
purpose, of, launching, a, fraudulent, and, malicious, 
campaign, potentially, affecting, hundreds, of, thousands, of, 
users, globally. 

In, this, post, we'll, provide, actionable, intelligence, on, 
currently, active, IcePack, Web, malware, exploitation, kit, 
client-side, and, malware-exploits, serving, domains. 

Related IcePack Web Malware Exploitation Kit 
domains: 

hxxp://seateremok.com/xc/index.php 
hxxp://lskdfj lerjvm.com/ice-pack/index.php 
hxxp://formid leren.dk/domain/mere.asp 
hxxp://webs-money.info/ice-pack/index.php 
hxxp://seateremok.com/xc/index.php 
hxxp://g reeetthh.com/ice-packl/index.php 
hxxp://58.65.235.153/ pozitive/ice/index.php 
hxxp://iframe911.com/troy/us/sp/ice/index.php 



hxxp://themusicmp3.info/rmpanfr/index.php 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(lskdfjlerjvm.com): 

MD5: 4c0958f2f9f5ff2e5ac47e92d4006452 

MD5: d955372c7ef939502c43a71ffla9f76e 

MD5: 118e24ea884d375dc9f63c986al5e5df 

MD5:e825a7e975a9817441da9bal054a3e6f 

MD5: 71460d4alc7cl8ec672fed56d764ebe6 

Once, executed, a, sample, malware (MD5: 
d955372c7ef939502c43a71ffla9f76e), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://riddenstorm.net - 208.100.26.234 

hxxp://lordofthepings.ru - 109.70.26.37 

hxxp://tableshown.net - 208.100.26.234 

hxxp://leadshown.net 

hxxp://tablefood.ru 

hxxp://tablefood.net - 180.210.34.47 

hxxp://leadfood.net 

hxxp://tablemeet.net 

hxxp://lead meet, net 

hxxp://poi ntneck.net 



hxxp://poi ntshown.net 
hxxp://callshown.net - 212.61.180.100 
hxxp://callneck.ru 
hxxp://callneck.net 
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hxxp://ri ngshown.ru 
hxxp://ri ngshown.net 
hxxp://noneshown.net 

We'll, continue, monitoring, the, campaigns, and, post, 
updates, as, soon, as, new, developments, take, place. 
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Historical OSINT - A Portfolio of Fake/Rogue Video 
Codecs (2017-05-29 09:27) Shall we expose a huge 
domains portfolio of fake/rogue video codecs dropping the 
same Zlob variant on each and every of the domains, thereby 
acting as a great example of what malicious economies of 
scale means? 

Currently active Zlob malware variants promoting 
sites: 

hxxp://pornqaz.com 
hxxp://uinsex.com 
hxxp://qazsex.com 
hxxp://sexwh ite.net 



hxxp://l ightporn.net 

hxxp://xeroporn.com 

hxxp://brakeporn.net 

hxxp://sexclean.net 

hxxp://delfi porn, net 

hxxp://pornfire.net 

hxxp://redcodec.net 

hxxp://democodec.com 

hxxp://delficodec.com 

hxxp://turbocodec.net 

hxxp://gamecodec.com 

hxxp://blackcodec.net 

hxxp://xerocodec.com 

hxxp://ixcodec.net 

hxxp://codecdemo.com 

hxxp://ixcodec.com 

hxxp://citycodec.com 

hxxp://codecthe.com 

hxxp://codecn itro.com 

hxxp://codecbest.com 



hxxp://codecspace.com 

hxxp://popcodec.net 

hxxp://u incodec.com 

hxxp://xhcodec.com 

hxxp://stormcodec.net 

hxxp://codecmega.com 

hxxp://wh itecodec.com 

hxxp://jetcodec.com 

hxxp://endcodec.com 

hxxp://abccodec.com 

hxxp://codecred.net 

hxxp://cieancodec.com 

hxxp://herocodec.com 

hxxp://n icecodec.com 

Related MD5s, known, to, have, participated, in, the, 
campaign: 

MD5: 30965fdbd893990dd24abda2285d9edc 

Why are the maiicious parties so KiSS oriented at the end of 
every campaign, compared to the compiexity and tacticai 
warfare tricking automated maiware harvesting approaches 
within the beginning of the campaign? 
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Because they're not even considering the possibility of 
proactively detecting the end of many other malware 
campaigns to come, which will inevitable be ending up to 
these domains. 
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Historical OSINT - A Diversified Portfolio of Fake 
Security Software (2017-05-29 09:38) Cybercriminals, 
continue, actively, launching, malicious, and, fraudulent, 
campaigns, further, spreading, malicious, software, 
potentially, exposing, the, confidentiality, availability, and, 
integrity, of, the, targeted, host, to, a, multitude, of, 
malicious, software. 

In, this, post, we'll, profile, a, currently, active, portfolio, of, 
fake, security, software, and, discuss, in-depth, the, tactics, 
techniques, and, procedures, of, the, cybercriminals, behind, 
it. 

Known, to, have, responded, to, the, same, 
malicious, C &C, server, IPs (91.212.226.203; 
94.228.209.195), are, also, the, following, malicious, 
domains: 

hxxp://thebest-anti virus00.com 
hxxp://vi russcannerproO.com 
hxxp://l ightandfastscanner01.com 
hxxp://thebest-anti virus01.com 
hxxp://thebestanti virus01.com 
hxxp ://remove-spy ware-11 .com 
hxxp://remove-vi rus-ll.com 



hxxp://thebest-anti virusll.com 
hxxp://a ntispyware-modulel.com 
hxxp://a ntispywaremodulel.com 
hxxp://a ntivirus-tooisrl.com 
hxxp://thebest-anti virusl.com 
hxxp://thebest-anti virusxl.com 
hxxp://thebestanti virus02.com 
hxxp://remove-spyware-12.com 
hxxp://remove-vi rus-12.com 
hxxp://deiete-ai i-virus-22.com 
hxxp://i ightandfastscanner22.com 
hxxp://prosecureprotection2.com 
hxxp://vi russcannerpro2.com 
hxxp://a ntivirus-tooisr2.com 
hxxp://thebest-anti virusx2.com 
hxxp://thebestanti virus03.com 
hxxp://remove-spy ware-13.com 
hxxp://remove-vi rus-13.com 
hxxp://a ntispyware-moduie3.com 
hxxp://a ntispywaremoduie3.com 



hxxp://vi russcannerpro3.com 
hxxp://wi nclowsantivirusserver3.com 
hxxp://thebest-anti virusx3.com 
hxxp://thebestanti virus04.com 
hxxp://remove-spy ware-14.com 
hxxp://remove-vi rus-14.com 
hxxp://a ntispyware-scann4.com 
hxxp://a ntivirus-tooisr4.com 
hxxp://thebest-antivi rusx4.com 
hxxp://thebestanti virus05.com 
hxxp://remove-ai i-spyware-55.com 
hxxp://cieiete-ai i-virus-55.com 
143 

hxxp://thebest-anti virusx5.com 
hxxp://remove-spy ware-16.com 
hxxp://i ightancifastscanner66.com 
hxxp://a ntispywaremociuie6.com 
hxxp://a ntispyware-mociuie7.com 
hxxp://a ntispywaremociuie7.com 
hxxp://a ntivirus-tooisr7.com 



hxxp://a ntispyware-scann8.com 
hxxp://pro-secure-protection8.com 
hxxp://wi nclowsantivirusserver8.com 
hxxp://a ntispyware-mociuie9.com 
hxxp://a ntispywaremociuie9.com 
hxxp://a ntispyware-scann9.com 
hxxp://vi russcannerpro9.com 
hxxp://a ntivirus-tooisr9.com 
hxxp://thebest-anti virus9.com 
hxxp://a ntivirusprolscan.com 
hxxp://a ntiviruspro2scan.com 
hxxp://a ntiviruspro7scan.com 
hxxp://a ntiviruspro8scan.com 
hxxp://a ntiviruspro9scan.com 
hxxp://a ntispyware6sacnner.com 
hxxp://a ntivirusvltoois.com 
hxxp://a ntispywarelOwinciows.com 
hxxp://a ntispyware20winciows.com 
hxxp://a ntivirus-tooisvv.com 
hxxp ://remove-spy ware-11 .com 



hxxp://remove-vi rus-ll.com 
hxxp://remove-spyware-12.com 
hxxp://remove-vi rus-12.com 
hxxp://clelete-al l-virus-22.com 
hxxp://prosecureprotection2.com 
hxxp://remove-spyware-13.com 
hxxp://remove-vi rus-13.com 
hxxp://wi nclowsantivirusserver3.com 
hxxp://remove-spy ware-14.com 
hxxp://remove-vi rus-14.com 
hxxp://remove-al l-spyware-55.com 
hxxp://clelete-al l-virus-55.com 
hxxp://remove-spy ware-16.com 
hxxp://pro-secure-protection8.com 
hxxp://wi nclowsantivirusserver8.com 
hxxp://a ntivirus-toolsr9.com 
hxxp://a ntivirusvltools.com 
hxxp://a ntispywarelOwinclows.com 
hxxp://a ntispyware20winclows.com 
hxxp://a ntivirus-toolsvv.com 



Known, to, have, responded, to, the, same, 
malicious, C &C, server, IPs (94.228.209.195), are, 
also, the, following, malicious, domains: 
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hxxp://run-anti virusscanO.com 
hxxp://ru nantivirusscanO.com 
hxxp ://remove-spy ware-11 .com 
hxxp://remove-vi rus-ll.com 
hxxp ://run-vi rus-scannerl.com 
hxxp://remove-spyware-12.com 
hxxp ://remove-vi rus-12.com 
hxxp ://clelete-al l-virus-22.com 
hxxp ://remove-spy ware-13.com 
hxxp ://remove-vi rus-13.com 
hxxp ://ru nantivirusscan3.com 
hxxp ://ru n-virusscanner3.com 
hxxp ://remove-spy ware-14.com 
hxxp ://remove-vi rus-14.com 
hxxp ://ru n-virusscanner4.com 
hxxp ://remove-vi rus-15.com 
hxxp ://remove-al l-spyware-55.com 



hxxp://delete-al l-virus-55.com 
hxxp://remove-spy ware-16.com 
hxxp://ru n-virus-scanner6.com 
hxxp://ru n-virusscanner6.com 
hxxp://ru nantivirusscan8.com 
hxxp://ru n-virus-scanner8.com 
hxxp://wi nciowsantivirusserver8.com 
hxxp://ru n-virus-scanner9.com 
hxxp://ru n-virusscanner9.com 

Related, fraudulent, and, malicious, domains, known, 
to, have, participated, in, the, campaign: hxxp://run- 
antivirusscanO.com 

hxxp://run-anti virusscanl.com 

hxxp://ru n-antivirusscan3.com 

hxxp://ru n-antivirusscan6.com 

hxxp://ru n-antivirusscan8.com 

hxxp://ru nantivirusscanO.com 

hxxp://ru nantivirusscan3.com 

hxxp://ru nantivirusscan4.com 

hxxp://ru nantivirusscan9.com 

hxxp://secu repro-antivirusl.com 



Known, to, have, responded, to, the, same, 
malicious, C &C, server, IPs (91.212.226.203), are, 
also, the, following, malicious, domains: 

hxxp://a nti-virus-systemO.com 

hxxp://run-anti virusscanO.com 

hxxp://ru nantivirusscanO.com 

hxxp://perform-anti virus-scan-1.com 

hxxp ://remove-spy ware-11 .com 

hxxp://remove-vi rus-ll.com 

hxxp ://a ntivirus-systeml.com 

hxxp ://performspy warescanl.com 

hxxp ://run-vi rus-scannerl.com 
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hxxp://remove-spyware-12.com 
hxxp ://remove-vi rus-12.com 
hxxp ://cieiete-ai i-virus-22.com 
hxxp ://a ntivirus-scanner-3.com 
hxxp ://remove-spy ware-13.com 
hxxp ://remove-vi rus-13.com 
hxxp ://ru nantivirusscan3.com 
hxxp ://ru n-virusscanner3.com 



hxxp://remove-spy ware-14.com 
hxxp://remove-vi rus-14.com 
hxxp://g Ioriousantivirus2014.com 
hxxp://ru n-virusscanner4.com 
hxxp://smart-pcscan ner05.com 
hxxp://remove-vi rus-15.com 
hxxp://remove-ai i-spyware-55.com 
hxxp://cieiete-ai i-virus-55.com 
hxxp://perform-vi rus-scan5.com 
hxxp://perform-anti virus-scan-6.com 
hxxp://a ntivirus-scanner-6.com 
hxxp://remove-spy ware-16.com 
hxxp://ru n-virus-scanner6.com 
hxxp://ru n-virusscanner6.com 
hxxp://a ntivirus-scan-server6.com 
hxxp://perform-anti virus-scan-7.com 
hxxp://perform-anti virus-test-7.com 
hxxp://a ntivirus-win-system7.com 
hxxp://a ntivirus-for-pc-8.com 
hxxp://perform-anti virus-scan-8.com 



hxxp://perform-anti virus-test-8.com 
hxxp://ru n-antivirusscan8.com 
hxxp://ru nantivirusscan8.com 
hxxp://ru n-virus-scanner8.com 
hxxp://wi nciowsantivirusserver8.com 
hxxp://perform-anti virus-test-9.com 
hxxp://perform-vi rus-scan9.com 
hxxp://a ntispywareinfo9.com 
hxxp://ru n-virus-scanner9.com 
hxxp://ru n-virusscanner9.com 
hxxp://a ntispyware06scan.com 
hxxp://a ntispywareinfo9.com 
hxxp://antivi rus-for-pc-2.com 
hxxp://antivi rus-for-pc-4.com 
hxxp://a ntivirus-for-pc-6.com 
hxxp://a ntivirus-for-pc-8.com 
hxxp://a ntiviruspro8scan.com 
hxxp://extra-anti virus-scanl.com 
hxxp://extra-secu rity-scanbl.com 
hxxp://run-anti virusscanO.com 



hxxp://run-anti virusscanl.com 
hxxp://ru n-antivirusscan3.com 
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hxxp://ru n-antivirusscan6.com 

hxxp://ru n-antivirusscan8.com 

hxxp://ru nantivirusscanO.com 

hxxp://ru nantivirusscan3.com 

hxxp://ru nantivirusscan4.com 

hxxp://ru nantivirusscan9.com 

hxxp://secu repro-antivirusl.com 

hxxp://su per-scanner-2004.com 

hxxp://top-ratean rivirusO.com 

hxxp://topa ntimaiware-scanner7.com 

We'ii, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, deveiopments, take, piace. 
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Historical OSINT - Google Sponsored Scareware 
Spotted in the Wild (2017-05-29 15:48) Cybercriminais 
continue activeiy spreading maiicious software whiie iooking 
for aiternative ways to acquire and monetize iegitimate 
traffic successfuiiy earning frauduient revenue in the process 
of spreading maiicious software. 



We've recently came across to a Google Sponsored scareware 
campaign successfully enticing users into installing fake 
security software on their hosts further earning fraudulent 
revenue in the process of monetizing access to malware- 
infected hosts largely relying on the utilization of an affiliate- 
network based type of revenue sharing scheme. 

In this post we'll profile the campaign, provide actionable 
intelligence, on the infrastructure, behind it and discuss in- 
depth, the tactics techniques and procedures of the 
cybercriminals behind it. 

hxxp://www.google. com/acll<?sa=l &ai=Czd4NEnlLS- 
p WlrSlA-jBmlwO9pfjn0HOjKCvEI2B8wo0AiglUPjA4pz8 

_ wFgyZajiqSkxBGgAabhse4DyAEBqg0h T9 

CjnzCh YHf5zQB4c8FB-fW9 WUzgcUTQ4c7ciD4GyxsO 

&num=5 

&sig=AGiWqty0Uq3Kr6UlSbl0olrq6C22JfNR 

_w 

&q=http://www.adwa repronow. com 

hxxp://www.google. com/acll<?sa=L &al=COLI<5EnlLS- 
p WIrSlA-jBmIwOOYGZm wGz9aqwDblw8bcBEAUoCFCnyNGE _ 


_ 8BYMm Wo4ql<pMQRyAEBqgQZT9 

CTvAGhbX 

_5PQN 

_ 70aAlk7HT3d0frqLJ0 



&num=8amp;sig=AGiWqtyHmo4mgVkszSWtDUcT4dMRUAQn 

Xg 

&q=http://www.antimalware-2010. com 

Known malicious domains known to have participated 
in the campaign: 

hxxp://www.ad warepronow.com/? 

gclid=CJ6d8LSGnZ8CFRMqagodmR _KaA - 209.216.193.112 

Known malicious domains known to have participated 
in the campaign: 

hxxp://www.antimalware-2010.com/ - 209.216.193.119 

Sample detection rate for a sample malware: 

MD5: 8328da91c8eba6668b3e72d547157ac7 

Sample detection rate for a sample malware: 

MD5: b74412ea403241c9c60482fdl3540505 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp ://7 2.167.164.199/definitions/configu ration.txt 

hxxp://72.167.164.199/latestversion/AntiMalwarePro 

_appversion.txt 

We'll continue monitoring the campaign and post updates as 
soon as new developments take place. 
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Historical OSINT - A Diversified Portfolio of 
Pharmaceutical Scams Spotted in the Wild (2017-05- 



29 16:04) Cybercriminals continue actively speeding 
fraudulent and malicious campaigns potentially targeting the 
confidentiality availability and integrity of the targeted host 
to a multi-tude of malicious software further earning 
fraudulent revenue in the process of monetizing access to 
malware-infected hosts further spreading malicious and 
fraudulent campaigns potentially affecting hundreds of 
thousands of users globally. 

We've recently came across to a currently active diversified 
portfolio of pharmaceutical scams with the cybercriminals 
behind it successfully earning fraudulent revenue in the 
process of monetizing access to malware-infected hosts 
including the active utilization of an affiliate-network based 
type of revenue sharing scheme. 

In this post we'll profile the campaign, provide actionable 
intelligence, on the infrastructure behind it, and discuss in 
depth, the tactics techniques and procedures of the 
cybercriminals behind it. 

hxxp://l ightmcusic.com 

hxxp://darkclosed.com 

hxxp://rai ntable.com 

hxxp://rai nth ing.com 

hxxp://l amptrail.com 

hxxp://rai nopen.com 

hxxp://newsmillion.com 

hxxp://pai ntlamp.com 

hxxp://newssi lver.com 



hxxp://singerspa.ru 

hxxp://belllead.ru 

hxxp://dealfence.ru 

hxxp://beachpage.ru 

hxxp://sweaty bottle.ru 

hxxp://su perring.ru 

hxxp://betaflash.ru 

hxxp://petgal.ru 

hxxp://beastball.ru 

hxxp://chartarm.ru 

hxxp://roomcoin.ru 

hxxp://a rmsgun.ru 

hxxp://key hero.ru 

h XX p: //s i ste r 1 0 ve r. ru 

hxxp://pitstops.ru 

hxxp://ballnet.ru 

hxxp://betacourt.ru 

hxxp://moviecou rt.ru 

hxxp://bandrow.ru 

hxxp://rai nmcusic.com 



hxxp://l ightmcusic.com 

hxxpV/diskwind.com 

hxxpV/diskiarge.com 

hxxp://si iveriarge.com 

hxxp://totaidomai nname.com 

hxxp://mcusicmouse.com 

hxxp://diskbig.com 
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hxxp://rai nth ing.com 
hxxp://thu nderhigh.com 
hxxp://rai ntruck.com 
hxxp://mcusictank.com 
hxxp://d iskdark.com 
hxxp://thu nderdark.com 
hxxp://rai ntowei.com 
hxxp://mcusicbaii.com 
hxxp://d iskwarm.com 
hxxp://si iverwarsm.com 
hxxp://d iskopen.com 
hxxp://d iskfashion.com 



hxxp://goldlgs.com 
hxxp://si lverdarks.com 
hxxp://si lveropens.com 
hxxp://goldapers.com 
hxxp://goldsl vers.com 
hxxp://d iskhot.com 
hxxp://blued row.com 
hxxp://fl ashdrow.com 
hxxp://raindrow.com 
hxxp://thu nderdrow.com 
hxxp://rai nmcusic.com 
hxxp://rainpen.com 
hxxp://rai nth ing.com 
hxxp://spotsoda.ru 
hxxp://mediamuiti media. 
hxxp://boozetuna.ru 
hxxp://singerspa.ru 
hxxp://eyepizza.ru 
hxxp://ringmic.ru 
hxxp://beiiiead.ru 



hxxp://rosel id.ru 

hxxp://homemold.ru 

hxxp://tu neworld.ru 

hxxp://happendepend.ru 

hxxp://fruitmind.ru 

hxxp://g roupmud.ru 

hxxp://showbabe.ru 

hxxp://j uicetube.ru 

hxxp://kidrace.ru 

hxxp://zoomtrace.ru 

hxxp://lawice.ru 

hxxp://dealfence.ru 

hxxp://wi peagree.ru 

hxxp://coveri mage.ru 

hxxp://beachpage.ru 

hxxp://waxylanguage.ru 

hxxp://jazzedge.ru 

hxxp://casemale.ru 
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hxxp://spotsoda.ru 



hxxp://med iamultimedia.ru 

hxxp://boozetuna.ru 

hxxp://singerspa.ru 

hxxp://eyepizza.ru 

hxxpV/kitty web.ru 

hxxp://bed rib.ru 

hxxp://yourib.ru 

hxxp://a ntthumb.ru 

hxxp://ringmic.ru 

hxxp://beiiiead.ru 

hxxp://rosei id.ru 

hxxp://homemoid.ru 

hxxp://tu neworid.ru 

hxxp://happendepend.ru 

hxxp://fruitmind.ru 

hxxp://g roupmud.ru 

hxxp://showbabe.ru 

hxxp://juicetube.ru 

hxxpV/kidrace.ru 

hxxp://zoomtrace.ru 



hxxp://lawice.ru 

hxxp://dealfence.ru 

hxxp://wi peagree.ru 

hxxp://coveri mage.ru 

hxxp://beachpage.ru 

hxxp://waxylanguage.ru 

hxxp://jazzedge.ru 

hxxp://casemale.ru 

hxxp://czarsale.ru 

hxxp://sweaty bottle.ru 

hxxp://boxlane.ru 

hxxp://ru byfire.ru 

hxxp://rad iohorse.ru 

hxxp://sodakite.ru 

hxxp://armissue.ru 

hxxp://houraxe.ru 

hxxp://smokeeye.ru 

hxxp://anteye.ru 

hxxp://sa I esbarf.ru 

hxxp://shelfl eg.ru 



hxxp://su perring.ru 
hxxp://ti mematch.ru 
hxxp ://sewermatch. ru 
hxxp://betaflash.ru 
hxxp ://woven bath.ru 
hxxp://i magebirth.ru 
hxxp://shelfjack.ru 
hxxp://ringmack.ru 
hxxp ://g igaknack.ru 
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hxxp ://fi letack.ru 

hxxp://busybrick.ru 

hxxp://giantclock.ru 

hxxp ://wormcl uck.ru 

hxxp://rouncltruck.ru 

hxxp://labfolk.ru 

hxxp://malespark.ru 

hxxp://petgal.ru 

hxxp://hitpal.ru 

hxxp://beastball.ru 



hxxp://baysmell.ru 

hxxp://beachhill.ru 

hxxp://giantpill.ru 

hxxp://ru ntvenom.ru 

hxxp://soaproom.ru 

hxxp://chartarm.ru 

hxxp://deedsum.ru 

hxxp://fi rmcan.ru 

hxxp://sofafan.ru 

hxxp://ch inqueen.ru 

hxxp://lightpen.ru 

hxxp://fishgain.ru 

hxxp://shiptrain.ru 

hxxp://canbin.ru 

hxxp://roomcoin.ru 

hxxp://caseion.ru 

hxxp://miciron.ru 

hxxp://metalcorn.ru 

hxxp://roadbun.ru 

hxxp://a rmsgun.ru 



hxxp://landclown.ru 
hxxp://weedego.ru 
hxxp://kidsolo.ru 
hxxp://waxsolo.ru 
hxxp://hitpiano.ru 
hxxp://key hero.ru 
hxxp://hitzero.ru 
hxxp://ziptap.ru 
hxxp://a real a mp.ru 
hxxp://su nnystamp.ru 
hxxp://freeproshop.ru 
hxxp://clanpup.ru 
hxxp://si I kyear.ru 
hxxp://j a rpeer.ru 
hxxp://cobra river.ru 
h XX p: //s i ste r 1 0 ve r. ru 
hxxp ://rocktower. ru 
hxxp://yearshoes.ru 
hxxp://g rapefrogs.ru 
hxxp://papercoi ns.ru 
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hxxp://pitstops.ru 

hxxp://g in boss.ru 

hxxp://g reed pa nts.ru 

hxxp://rulebat.ru 

hxxp://kidssplat.ru 

hxxp ://h avocfleet.ru 

hxxp://ballnet.ru 

hxxp://statezit.ru 

hxxp://elfsalt.ru 

hxxp://zooant.ru 

hxxp ://fi nksnot.ru 

hxxp://bluffheart.ru 

hxxp://wifechart.ru 

hxxp://ladyskirt.ru 

hxxp://betacourt.ru 

hxxp ://moviecou rt.ru 

hxxp://bluecourt.ru 

hxxp://actbeast.ru 

hxxp://waterfast.ru 



hxxp://beachquest.ru 
hxxp://passexist.ru 
hxxp://ra reyou.ru 
hxxp://ba ndrow.ru 
hxxp://applewax.ru 
hxxp://rockpony.ru 
hxxp://feet boy.ru 
hxxp://arguebury.ru 
hxxp ://chai rchevy.ru 
hxxp ://bi rthsea.com 
hxxp://sou rcegood.com 
hxxp ://l amplarsge.com 
hxxp ://trai I huge.com 
hxxp ://rai ntable.com 
hxxp://platepeople.com 
hxxp ://tablebig.com 
hxxp ://l ampbig.com 
hxxp://traillong.com 
hxxp ://wh itebirth.com 
hxxp ://trai I birth.com 



hxxp://tabled isk.com 
hxxp://l ampdissk.com 
hxxp://trucktowei.com 
hxxp://i amptraii.com 
hxxp://trai iwarm.com 
hxxp://paperwarm.com 
hxxp://i ampwasrm.com 
hxxp://bi rthocean.com 
hxxp://trai iocean.com 
hxxp://rai nopen.com 
hxxp://i ampfashion.com 
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hxxp://newsmi iiion.com 
hxxp://trai isummer.com 
hxxp://mcusicpaper.com 
hxxp://iamppapser.com 
hxxp://newssi iver.com 
hxxp://piated rops.com 
hxxp://iampcups.com 
hxxp://tabiemi ndss.com 



hxxp://tablecupss.com 
hxxp://newssweet.com 
hxxp://trai I basket.com 
hxxp://trailgift.com 
hxxp://gold blow.com 
hxxpV/truckd row.com 
hxxp://roverkey.com 
hxxp://protopsite.ru 
hxxp://frontstand.com 
hxxp ://g reystand .com 
hxxp://ballmind.com 
hxxp ://mi ndlarge.com 
hxxp ://wi ndlarge.com 
hxxp://darklarge.com 
hxxp ://bal ltable.com 
hxxp ://l istplate.com 
hxxp ://frontbl ue.com 
hxxp ://l ightskye.com 
hxxp://baiiiong.com 
hxxp ://frontiong.com 



hxxp://g reylong.com 
hxxp://l argebisg.com 
hxxp://g reywalk.com 
hxxpV/minddark.com 
hxxp://l argedark.com 
hxxp://balldisk.com 
hxxp://l argetrail.com 
hxxp://baiitraii.com 
hxxp://i argewarm.com 
hxxp://skyewarm.com 
hxxp://iistiap.com 
hxxp://fiowiap.com 
hxxp://frontstop.com 
hxxp://bai isiiver.com 
hxxp://flowsi iver.com 
hxxp://jobsi ivesr.com 
hxxp://fastpads.com 
hxxp://jobpeopies.com 
hxxp://biuewaris.com 
hxxp://jobiaps.com 



hxxp://l istdrops.com 
hxxp://flowchai rs.com 
154 

hxxp://backg rass.com 
hxxp://g reygrass.com 
hxxp://g reyfront.com 
hxxp://d ropslist.com 
hxxp://iongg rey.com 
hxxpV/backg rey.com 
hxxp://frontg rey.com 
hxxp://hatroad.com 
hxxp://hatweather.com 
hxxp://hatcooi.com 
hxxp://weatherfloor.com 
hxxp://d rinkfloor.com 
hxxp://hatbrowse.com 
hxxp://road browse.com 
hxxp://road internet.com 
hxxp://wh iterdes.com 
hxxp://hatcoois.com 



hxxp://hatbrowses.com 
hxxp://hatflow.com 
hxxp://hatride.com 
hxxp://wh itefloors.com 
hxxp://hatd ucks.com 
hxxp://wh itebrwses.com 
hxxp://hattables.com 
hxxp://hatfloos.com 
hxxp://hatd rinks.com 
hxxp://blowl ight.com 
hxxp://long write.com 
hxxp://bridelamp.com 
hxxp://bridelong.com 
hxxp://bridefast.com 
hxxp://bridebottle.com 
hxxp://long letter.com 
hxxp://brideword.com 
hxxp://bridetowel.com 
hxxp://screenchai rs.com 
hxxp://boxscreens.com 



hxxp://screen birth.com 
hxxp://touchcup.com 
hxxp://boxboxs.com 
hxxp://boxla ms.com 
hxxp://touchchair.com 
hxxp://screencup.com 
hxxp://l amptool.com 
hxxp://touch birth.com 
hxxp://weathersanci.com 
hxxp://su mmerwarms.com 
hxxp://su mmerwaii.com 
hxxp://weathersu mmer.com 
hxxp://warmru ns.com 
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hxxp://weathercoici.com 

hxxp://weatherwarm.com 

hxxpV/warmskye.com 

hxxpV/weatherskye.com 

hxxp://weatheropens.com 

hxxp://weatherocean.com 



hxxp://weatherrun.com 

hxxp://rovercorner.com 

hxxp://rangepeople.com 

hxxp://rangesand.com 

hxxp://rangecorner.com 

hxxp://rangespeed.com 

hxxp://roverweather.com 

hxxp://rangekey.com 

hxxp://roverfast.com 

hxxp://roverroad.com 

hxxp://rangera nge.com 

hxxp://rovertrack.com 

hxxp://rangetu nes.com 

hxxp://socketpaper.com 

hxxp://trai lgold.com 

hxxp://booksocket.com 

hxxp://brushtrail.com 

hxxp://brush round.com 

hxxp://brushchair.com 

hxxp://brushsocket.com 



hxxp://brushfast.com 
hxxp://socketfast.com 
hxxp://tablebrush.com 
hxxp://brush paper.com 
hxxp://brushopen.com 
hxxp://sockettrail.com 
hxxp://socketrou nd.com 
hxxp://brush plane.com 
hxxp://sou rcebrush.com 
hxxp://tabletrail.com 
hxxp://truckbl us.com 

We'll continue monitoring the campaign and post updates as 
soon as new developments take place. 
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Historical OSINT - Massive Black Hat SEO Campaign 
Spotted in the Wild (2017-05-29 19:28) Cybercriminals 
continue actively launching fraudulent and malicious 
blackhat SEO campaigns further acquiring legitimate traffic 
for the purpose of converting it into malware-infected hosts 
further spreading malicious software potentially 
compromising the confidentiality availability and integrity of 
the targeted host to a multi-tude of malicious software. 

We've recently intercepted a currently active malicious 
blackhat SEO campaign serving scareware to socially 



engineered users with the cybercriminals behind it earning 
fraudulent revenue largely relying on the utilization of an 
affiliate-network based revenue-sharing scheme. 

In this post we'll profile the campaign, provide actionable 
intelligence on the infrastructure behind it, and discuss in- 
depth the tactics techniques and procedures of the 
cybercriminals behind it. 

Known malicious domains known to have participated 
in the campaign: 

hxxp://doremisan7.net?uid = 213 &pid = 3 &ttl = 319455a3f86 
- 67.215.238.189 

Known malicious redirector known to have 
participated in the campaign: hxxp://marketcoms.cn/? 
pid = 123 &sid=8ec7ca &uid = 213 &isRedirected = l - 
91.205.40.5 - Email: JeremyL-Rademacher(g)live.com 

Related malicious domains known to have been 
parked within the same malicious IP (91.205.40.5): 

hxxp://browsersafeon.com 

hxxp://on I ine-income2.cn 
hxxp://applestore2.cn 
hxxp://med ia-news2.cn 
hxxp://cl i nt-eastwood .cn 
hxxp://stone-sour.cn 
hxxp://marketcoms.cn 
hxxp://fash ion-news.cn 



Known malicious domains known to have participated 
in the campaign: 

hxxp://guard-syszone.net/? 

p=WKmimHVmaWyHjsblo22EeXZeOKCfZlbVoKDb2YmHWJjOx 

aCbkXl 

%2Bal6orKWeYJWfZW 

VilWWenGOIoGTHodjXoGJdpqmikpVuaGVvZGlkbV %2FEkKE 
%3D- 206.53.61.73 

hxxp://yourspywarescanl5.com/scanl/?pid = 123 
&engine=pXT3wjTuNjYzLjE3Ny4xNTMmdGltZT0xMjUxMYkNP 
AFO - 

85.12.24.12 

Sample detection rate for sample malware: 

MD5: 3d448b584d52c6a6a45ff369d839eb06 

MD5: 54f671bb9283bf4dfdf3c891fd9cd700 

We'll continue monitoring the campaign and post updates as 
soon as new developments take place. 
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Historical OSINT - Mac OS X PornTube Malware 
Serving Domains (2017-05-29 20:05) Cybercriminals 
continue to actively launch maliciuos and fraudulent 
malware-serving campaigns further spreading malicious 
software potentially compromising the confidentiality 
availability and integrity of hte targeted host to a multit-tude 
of malicious software further spreading malicious software 
while earning fraudulent revenue in the process of 
monetizing access to malware-infected hosts. 



We've recently intercepted a currently active portfolio of 
rogue/fake/ PornTube malicious and fraudulent domains, with 
the cybercriminals behind the campaign earning fraudulent 
revenue largely relying on the utilization of an affiliate- 
network based revenue-sharing scheme. 

In this post we'll profile the campaign, provide actionable 
intelligence on the infrastructure behind it, and discuss in- 
depth the tactics techniques and procedures of the 
cybercriminals behind it. 

Known to have been parked within the same 
maiicious iP (93.190.140.56) are aiso the foiiowing 
maiicious domains: 

hxxp://playfucktube.com 

hxxp://mac-videos.com 

hxxp://xhottube.net 

hxxp://playfucktu be.comtubeporn08.com 

hxxp://porn-tube09.com 

hxxp://tubeporn09.com 

hxxp://xxxporn-tu be.com 

hxxp://playfucktube.com 

hxxp ://a 11 soft-free.com 

hxxp://a 11-softfree.com 

hxxp ://l softfree.com 

hxxp ://porntu benew.com 



hxxp://porn megatube, net 
hxxp://xhottube.net 

We'll continue monitoring the campaign and post updates as 
soon as new developments take place. 
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Cyber 

Conspiracy 
Who OtaHiS 
Them All 

By Dancho Danchev 

The adventurous and fancyful life of a Bulgarian hacker in the 90's caught 
between the mussings of the security industry and the Intelligence 
Community pursuing his own personal goals leading to a blissful career as a 
renewed secutity expert for a international foundation 


Book Proposal - Seeking Sponsorship - Publisher 
Contact (2017-11-15 14:23) Dear blog readers, as I'm 
currently busy writing a book, I'm currently seeking a 
publisher contact, with the book proposal available on 
request. 

Approach me at ddanchev(g)cryptogroup.net 
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Document Outline 


. 2016 
o April 

■ C vbercriminals Launch Malicious Malvertisin a 
Campai gn. Thousands of Users Affected (2016- 
04-24 21:17 ) 

■ Analyzin g the Bill Gates Botnet - An Analysis 
( 2016-04-24 22:47 ) 

■ Malware Campai g n Usin g Goo g le Docs 
Intercepted . Thousands of Users Affected (2016- 
04-26 20:13 ) 

■ Malicious Client-Side Exploits Seryin g Campai gn 
Intercepted . Thousands of Users Affected (2016- 
04-26 20:39 ) 

o Ma y 

■ Malicious Campai g n Affects Hundreds of Web 
Sites . Thousands of Users Affected (2016-05-16 
10:33 ) 

o August 

■ C ybercriminals Offer Fake/Fraudulent Press 
Documents Accreditation On Demand (2016-08- 

16 20:07 ) 

■ S pam-friendly Ima g e Randomization Tool 
Released on the Under g round Marketplace 
( 2016-08-17 13:34 ) 

■ Mana g ed Social En g ineerin g Based Code 
Sig nin g Generatin g Certificate Seryice Spotted 
in the Wild (2016-08-17 14:23 ) 

■ Newly Launched Cybercrime Seryice Offers 
Access to POS Terminals on Demand (2016-08- 

17 14:32 ) 































































■ New Cvbercrime-Friendiv Service Offers Fake 
Documents and Bills on Demand (2016-08-28 
15:33 ) 

■ Mana g ed Hacked PCs as a Service T v oe of 
C vbercrime-friendiv service Spotted in the Wild 
( 2016-08-28 18:38 ) 

■ Mana g ed SWF In j ection Cvbercrime-friendi v 
Service Fuels Growth Within the Malvertisin o 

Market Se g ment (2016-08-29 11:58 ) 

December 

■ New Service Offerrin g Fake Documents on 
Demand Spotted in the Wild (2016-12-21 14:08 ) 

■ Historical OSINT - Soamvertised Client-Side 
Exploits Servin g Adult Content Themed 
Cam paign ( 2016-12-23 06:47 ) 

■ Historical OSINT - Celebritv-Themed Blackhat 
SEP Campai g n Servin g Scareware and the 
Koobface Botnet Connection ( 2016-12-23 08:02 ) 

■ Historical OSINT - Zeus and Client-Side Exploit 
Servin g Facebook Phishin g Campai g n Spotted in 
the Wild (2016-12-23 11:29 ) 

■ Historical OSINT - Haiti-themed Blackhat SEP 

Campai g n Servin g Scareware Spotted in the 
Wild (2016-12-23 12:53 ) 

■ Historical OSINT - Massive Black Hat SEP 
Camoain o Servin g Scareware Spotted in the 
Wild (2016-12-24 05:47 ) 

■ Historical OSINT - FTLo o Worm Spreadin g Across 
Fotolo o ( 2016-12-24 12:49 ) 

■ Historical OSINT - Goo o le Docs Hosted Ro o ue 
Chrome Extension Servin g Campai g n Spotted in 
the Wild (2016-12-24 19:12 ) 

■ Historical OSINT - Ro o ue MvWebFace A p plication 
Servin g Adware Spotted in the Wild (2016-12-25 
07:20 ) 























































































■ Historical OSINT - Koobface Gan g Utilizes . 

Goo g le Grou ps. Serves . Scareware and Malicious 
Software ( 2016-12-25 19:58 ) 

■ Historical OSINT - Hundreds of Malicious Web 

Sites Serve Client-Side Exploits . Lead to Ro a ue 
YouTube Video Players (2016-12-25 21:47 ) 

■ Historical OSINT - Massive Black Hat SEP 

Campai gn. S potted in the Wild . Serves 
Scareware (2016-12-25 22:43 ) 

2017 
o l anuar v 

■ Historical OSINT - Massive Black Hat SEP 

Campai gn. S potted in the Wild . Serves 
Scareware - Part Two (2017-01-05 10:22 ) 

■ Historical OSINT - Malicious Malvertisin o 

Campai gn. S potted at FoxNews . Serves 
Scareware (2017-01-05 11:19 ) 

o Ma y 

■ Historical OSINT - Inside the 2007-2009 Series of 

C yber Attacks A g ainst Multiple International 
Embassies (2017-05-29 08:28 ) 

■ Historical OSINT - A Portfolio of Exploits Seryin o 
Domains (2017-05-29 09:04 ) 

■ Historical OSINT - A Portfolio of Fake/Ro o ue 
Video Codecs ( 2017-05-29 09:27 ) 

■ Historical OSINT - A Diyersified Portfolio of Fake 

Security Software ( 2017-05-29 09:38 ) 

■ Historical OSINT - Goo o le Sponsored Scareware 
S potted in the Wild (2017-05-29 15:48 ) 

■ Historical OSINT - A Diyersified Portfolio of 

Pharmacautical Scams Spotted in the Wild 
( 2017-05-29 16:04 ) 

■ Historical OSINT - Massiye Black Hat SEP 

Campai g n Spotted in the Wild (2017-05-29 
19:28 ) 




































































■ Historical OSINT - Mac OS X PornTube Malware 

Servin g Domains (2017-05-29 20:05 ). 

November 

■ Book Proposal - Seekin g S ponsorship - Publisher 
Contact (2017-11-15 14:23 ) 













